{"matches":[{"vulnerability":{"id":"CVE-2026-4631","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4631","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":3.387760000000001},"relatedVulnerabilities":[{"id":"CVE-2026-4631","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4631","namespace":"nvd:cpe","severity":"Critical","urls":["https://access.redhat.com/errata/RHSA-2026:7381","https://access.redhat.com/errata/RHSA-2026:7382","https://access.redhat.com/errata/RHSA-2026:7383","https://access.redhat.com/errata/RHSA-2026:7384","https://access.redhat.com/security/cve/CVE-2026-4631","https://bugzilla.redhat.com/show_bug.cgi?id=2450246","http://www.openwall.com/lists/oss-security/2026/04/10/5"],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"cockpit","version":"337-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4631","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-cockpit-63a0ee4bf8b861f1","name":"cockpit","version":"337-1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-MIT-IBM-immunity AND LicenseRef-MIT-X11"],"cpes":["cpe:2.3:a:cockpit:cockpit:337-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/cockpit@337-1?arch=all&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-4631","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4631","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":3.387760000000001},"relatedVulnerabilities":[{"id":"CVE-2026-4631","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4631","namespace":"nvd:cpe","severity":"Critical","urls":["https://access.redhat.com/errata/RHSA-2026:7381","https://access.redhat.com/errata/RHSA-2026:7382","https://access.redhat.com/errata/RHSA-2026:7383","https://access.redhat.com/errata/RHSA-2026:7384","https://access.redhat.com/security/cve/CVE-2026-4631","https://bugzilla.redhat.com/show_bug.cgi?id=2450246","http://www.openwall.com/lists/oss-security/2026/04/10/5"],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"cockpit","version":"337-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4631","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-cockpit-bridge-533cf830c036bb8f","name":"cockpit-bridge","version":"337-1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-MIT-IBM-immunity AND LicenseRef-MIT-X11"],"cpes":["cpe:2.3:a:cockpit-bridge:cockpit-bridge:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit-bridge:cockpit_bridge:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_bridge:cockpit-bridge:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_bridge:cockpit_bridge:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit-bridge:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit_bridge:337-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/cockpit-bridge@337-1?arch=all&distro=debian-13&upstream=cockpit","upstreams":[{"name":"cockpit"}]}},{"vulnerability":{"id":"CVE-2026-4631","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4631","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":3.387760000000001},"relatedVulnerabilities":[{"id":"CVE-2026-4631","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4631","namespace":"nvd:cpe","severity":"Critical","urls":["https://access.redhat.com/errata/RHSA-2026:7381","https://access.redhat.com/errata/RHSA-2026:7382","https://access.redhat.com/errata/RHSA-2026:7383","https://access.redhat.com/errata/RHSA-2026:7384","https://access.redhat.com/security/cve/CVE-2026-4631","https://bugzilla.redhat.com/show_bug.cgi?id=2450246","http://www.openwall.com/lists/oss-security/2026/04/10/5"],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"cockpit","version":"337-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4631","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-cockpit-networkmanager-be75fc88673067c5","name":"cockpit-networkmanager","version":"337-1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-MIT-IBM-immunity AND LicenseRef-MIT-X11"],"cpes":["cpe:2.3:a:cockpit-networkmanager:cockpit-networkmanager:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit-networkmanager:cockpit_networkmanager:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_networkmanager:cockpit-networkmanager:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_networkmanager:cockpit_networkmanager:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit-networkmanager:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit_networkmanager:337-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/cockpit-networkmanager@337-1?arch=all&distro=debian-13&upstream=cockpit","upstreams":[{"name":"cockpit"}]}},{"vulnerability":{"id":"CVE-2026-4631","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4631","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":3.387760000000001},"relatedVulnerabilities":[{"id":"CVE-2026-4631","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4631","namespace":"nvd:cpe","severity":"Critical","urls":["https://access.redhat.com/errata/RHSA-2026:7381","https://access.redhat.com/errata/RHSA-2026:7382","https://access.redhat.com/errata/RHSA-2026:7383","https://access.redhat.com/errata/RHSA-2026:7384","https://access.redhat.com/security/cve/CVE-2026-4631","https://bugzilla.redhat.com/show_bug.cgi?id=2450246","http://www.openwall.com/lists/oss-security/2026/04/10/5"],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"cockpit","version":"337-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4631","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-cockpit-packagekit-f81914f1c89afac2","name":"cockpit-packagekit","version":"337-1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-MIT-IBM-immunity AND LicenseRef-MIT-X11"],"cpes":["cpe:2.3:a:cockpit-packagekit:cockpit-packagekit:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit-packagekit:cockpit_packagekit:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_packagekit:cockpit-packagekit:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_packagekit:cockpit_packagekit:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit-packagekit:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit_packagekit:337-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/cockpit-packagekit@337-1?arch=all&distro=debian-13&upstream=cockpit","upstreams":[{"name":"cockpit"}]}},{"vulnerability":{"id":"CVE-2026-4631","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4631","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":3.387760000000001},"relatedVulnerabilities":[{"id":"CVE-2026-4631","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4631","namespace":"nvd:cpe","severity":"Critical","urls":["https://access.redhat.com/errata/RHSA-2026:7381","https://access.redhat.com/errata/RHSA-2026:7382","https://access.redhat.com/errata/RHSA-2026:7383","https://access.redhat.com/errata/RHSA-2026:7384","https://access.redhat.com/security/cve/CVE-2026-4631","https://bugzilla.redhat.com/show_bug.cgi?id=2450246","http://www.openwall.com/lists/oss-security/2026/04/10/5"],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"cockpit","version":"337-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4631","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-cockpit-sosreport-54bd970756885784","name":"cockpit-sosreport","version":"337-1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-MIT-IBM-immunity AND LicenseRef-MIT-X11"],"cpes":["cpe:2.3:a:cockpit-sosreport:cockpit-sosreport:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit-sosreport:cockpit_sosreport:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_sosreport:cockpit-sosreport:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_sosreport:cockpit_sosreport:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit-sosreport:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit_sosreport:337-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/cockpit-sosreport@337-1?arch=all&distro=debian-13&upstream=cockpit","upstreams":[{"name":"cockpit"}]}},{"vulnerability":{"id":"CVE-2026-4631","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4631","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":3.387760000000001},"relatedVulnerabilities":[{"id":"CVE-2026-4631","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4631","namespace":"nvd:cpe","severity":"Critical","urls":["https://access.redhat.com/errata/RHSA-2026:7381","https://access.redhat.com/errata/RHSA-2026:7382","https://access.redhat.com/errata/RHSA-2026:7383","https://access.redhat.com/errata/RHSA-2026:7384","https://access.redhat.com/security/cve/CVE-2026-4631","https://bugzilla.redhat.com/show_bug.cgi?id=2450246","http://www.openwall.com/lists/oss-security/2026/04/10/5"],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"cockpit","version":"337-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4631","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-cockpit-storaged-4a114d01653e7ba5","name":"cockpit-storaged","version":"337-1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-MIT-IBM-immunity AND LicenseRef-MIT-X11"],"cpes":["cpe:2.3:a:cockpit-storaged:cockpit-storaged:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit-storaged:cockpit_storaged:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_storaged:cockpit-storaged:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_storaged:cockpit_storaged:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit-storaged:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit_storaged:337-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/cockpit-storaged@337-1?arch=all&distro=debian-13&upstream=cockpit","upstreams":[{"name":"cockpit"}]}},{"vulnerability":{"id":"CVE-2026-4631","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4631","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":3.387760000000001},"relatedVulnerabilities":[{"id":"CVE-2026-4631","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4631","namespace":"nvd:cpe","severity":"Critical","urls":["https://access.redhat.com/errata/RHSA-2026:7381","https://access.redhat.com/errata/RHSA-2026:7382","https://access.redhat.com/errata/RHSA-2026:7383","https://access.redhat.com/errata/RHSA-2026:7384","https://access.redhat.com/security/cve/CVE-2026-4631","https://bugzilla.redhat.com/show_bug.cgi?id=2450246","http://www.openwall.com/lists/oss-security/2026/04/10/5"],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"cockpit","version":"337-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4631","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-cockpit-system-154be553cf66ce8a","name":"cockpit-system","version":"337-1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-MIT-IBM-immunity AND LicenseRef-MIT-X11"],"cpes":["cpe:2.3:a:cockpit-system:cockpit-system:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit-system:cockpit_system:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_system:cockpit-system:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_system:cockpit_system:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit-system:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit_system:337-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/cockpit-system@337-1?arch=all&distro=debian-13&upstream=cockpit","upstreams":[{"name":"cockpit"}]}},{"vulnerability":{"id":"CVE-2026-4631","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4631","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":3.387760000000001},"relatedVulnerabilities":[{"id":"CVE-2026-4631","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4631","namespace":"nvd:cpe","severity":"Critical","urls":["https://access.redhat.com/errata/RHSA-2026:7381","https://access.redhat.com/errata/RHSA-2026:7382","https://access.redhat.com/errata/RHSA-2026:7383","https://access.redhat.com/errata/RHSA-2026:7384","https://access.redhat.com/security/cve/CVE-2026-4631","https://bugzilla.redhat.com/show_bug.cgi?id=2450246","http://www.openwall.com/lists/oss-security/2026/04/10/5"],"description":"Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4631","epss":0.03604,"percentile":0.8781,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4631","cwe":"CWE-78","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"cockpit","version":"337-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4631","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-cockpit-ws-6ccf6a0744d1c4b6","name":"cockpit-ws","version":"337-1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-MIT-IBM-immunity AND LicenseRef-MIT-X11"],"cpes":["cpe:2.3:a:cockpit-ws:cockpit-ws:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit-ws:cockpit_ws:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_ws:cockpit-ws:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit_ws:cockpit_ws:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit-ws:337-1:*:*:*:*:*:*:*","cpe:2.3:a:cockpit:cockpit_ws:337-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/cockpit-ws@337-1?arch=arm64&distro=debian-13&upstream=cockpit","upstreams":[{"name":"cockpit"}]}},{"vulnerability":{"id":"CVE-2020-15778","dataSource":"https://security-tracker.debian.org/tracker/CVE-2020-15778","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\"","cvss":[],"epss":[{"cve":"CVE-2020-15778","epss":0.61479,"percentile":0.98337,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":3.07395},"relatedVulnerabilities":[{"id":"CVE-2020-15778","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2020-15778","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/errata/RHSA-2024:3166","https://github.com/cpandya2909/CVE-2020-15778/","https://news.ycombinator.com/item?id=25005567","https://security.gentoo.org/glsa/202212-06","https://security.netapp.com/advisory/ntap-20200731-0007/","https://www.openssh.com/security.html"],"description":"scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.4,"exploitabilityScore":1.6,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":6.8,"exploitabilityScore":8.6,"impactScore":6.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-15778","epss":0.61479,"percentile":0.98337,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2020-15778","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2020-15778","dataSource":"https://security-tracker.debian.org/tracker/CVE-2020-15778","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\"","cvss":[],"epss":[{"cve":"CVE-2020-15778","epss":0.61479,"percentile":0.98337,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":3.07395},"relatedVulnerabilities":[{"id":"CVE-2020-15778","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2020-15778","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/errata/RHSA-2024:3166","https://github.com/cpandya2909/CVE-2020-15778/","https://news.ycombinator.com/item?id=25005567","https://security.gentoo.org/glsa/202212-06","https://security.netapp.com/advisory/ntap-20200731-0007/","https://www.openssh.com/security.html"],"description":"scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.4,"exploitabilityScore":1.6,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":6.8,"exploitabilityScore":8.6,"impactScore":6.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-15778","epss":0.61479,"percentile":0.98337,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2020-15778","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2020-15778","dataSource":"https://security-tracker.debian.org/tracker/CVE-2020-15778","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\"","cvss":[],"epss":[{"cve":"CVE-2020-15778","epss":0.61479,"percentile":0.98337,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":3.07395},"relatedVulnerabilities":[{"id":"CVE-2020-15778","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2020-15778","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/errata/RHSA-2024:3166","https://github.com/cpandya2909/CVE-2020-15778/","https://news.ycombinator.com/item?id=25005567","https://security.gentoo.org/glsa/202212-06","https://security.netapp.com/advisory/ntap-20200731-0007/","https://www.openssh.com/security.html"],"description":"scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.4,"exploitabilityScore":1.6,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":6.8,"exploitabilityScore":8.6,"impactScore":6.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-15778","epss":0.61479,"percentile":0.98337,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-15778","cwe":"CWE-78","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2020-15778","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2019-6110","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-6110","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.","cvss":[],"epss":[{"cve":"CVE-2019-6110","epss":0.57569,"percentile":0.98173,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":2.8784500000000004},"relatedVulnerabilities":[{"id":"CVE-2019-6110","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-6110","namespace":"nvd:cpe","severity":"Medium","urls":["https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf","https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c","https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c","https://security.gentoo.org/glsa/201903-16","https://security.netapp.com/advisory/ntap-20190213-0001/","https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt","https://www.exploit-db.com/exploits/46193/"],"description":"In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":6.8,"exploitabilityScore":1.7,"impactScore":5.2},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:N","metrics":{"baseScore":4,"exploitabilityScore":5,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":6.8,"exploitabilityScore":1.7,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-6110","epss":0.57569,"percentile":0.98173,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-6110","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2019-6110","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-6110","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.","cvss":[],"epss":[{"cve":"CVE-2019-6110","epss":0.57569,"percentile":0.98173,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":2.8784500000000004},"relatedVulnerabilities":[{"id":"CVE-2019-6110","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-6110","namespace":"nvd:cpe","severity":"Medium","urls":["https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf","https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c","https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c","https://security.gentoo.org/glsa/201903-16","https://security.netapp.com/advisory/ntap-20190213-0001/","https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt","https://www.exploit-db.com/exploits/46193/"],"description":"In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":6.8,"exploitabilityScore":1.7,"impactScore":5.2},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:N","metrics":{"baseScore":4,"exploitabilityScore":5,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":6.8,"exploitabilityScore":1.7,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-6110","epss":0.57569,"percentile":0.98173,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-6110","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2019-6110","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-6110","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.","cvss":[],"epss":[{"cve":"CVE-2019-6110","epss":0.57569,"percentile":0.98173,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":2.8784500000000004},"relatedVulnerabilities":[{"id":"CVE-2019-6110","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-6110","namespace":"nvd:cpe","severity":"Medium","urls":["https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf","https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c","https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c","https://security.gentoo.org/glsa/201903-16","https://security.netapp.com/advisory/ntap-20190213-0001/","https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt","https://www.exploit-db.com/exploits/46193/"],"description":"In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":6.8,"exploitabilityScore":1.7,"impactScore":5.2},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:N","metrics":{"baseScore":4,"exploitabilityScore":5,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":6.8,"exploitabilityScore":1.7,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-6110","epss":0.57569,"percentile":0.98173,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2019-6110","cwe":"CWE-838","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-6110","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2023-51596","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-51596","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device.  The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20939.","cvss":[{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.2,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51596","epss":0.02808,"percentile":0.86174,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51596","cwe":"CWE-122","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":2.04984},"relatedVulnerabilities":[{"id":"CVE-2023-51596","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-51596","namespace":"nvd:cpe","severity":"High","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1902/"],"description":"BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device.\n\nThe specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20939.","cvss":[{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.2,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51596","epss":0.02808,"percentile":0.86174,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51596","cwe":"CWE-122","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-51596","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-51596","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-51596","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device.  The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20939.","cvss":[{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.2,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51596","epss":0.02808,"percentile":0.86174,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51596","cwe":"CWE-122","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":2.04984},"relatedVulnerabilities":[{"id":"CVE-2023-51596","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-51596","namespace":"nvd:cpe","severity":"High","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1902/"],"description":"BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device.\n\nThe specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20939.","cvss":[{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.2,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51596","epss":0.02808,"percentile":0.86174,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51596","cwe":"CWE-122","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-51596","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2023-44431","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-44431","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.  The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19909.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":8,"exploitabilityScore":2.1,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-44431","epss":0.02464,"percentile":0.85301,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-44431","cwe":"CWE-121","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":1.9095999999999997},"relatedVulnerabilities":[{"id":"CVE-2023-44431","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-44431","namespace":"nvd:cpe","severity":"High","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1900/"],"description":"BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.\n\nThe specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19909.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":8,"exploitabilityScore":2.1,"impactScore":5.9},"vendorMetadata":{}},{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.2,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-44431","epss":0.02464,"percentile":0.85301,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-44431","cwe":"CWE-121","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-44431","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-44431","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-44431","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.  The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19909.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":8,"exploitabilityScore":2.1,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-44431","epss":0.02464,"percentile":0.85301,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-44431","cwe":"CWE-121","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":1.9095999999999997},"relatedVulnerabilities":[{"id":"CVE-2023-44431","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-44431","namespace":"nvd:cpe","severity":"High","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1900/"],"description":"BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.\n\nThe specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19909.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":8,"exploitabilityScore":2.1,"impactScore":5.9},"vendorMetadata":{}},{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.2,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-44431","epss":0.02464,"percentile":0.85301,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-44431","cwe":"CWE-121","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-44431","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2024-56433","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-56433","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":3.6,"exploitabilityScore":1.1,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-56433","epss":0.04509,"percentile":0.89178,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-56433","cwe":"CWE-1188","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":1.4879699999999998},"relatedVulnerabilities":[{"id":"CVE-2024-56433","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-56433","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241","https://github.com/shadow-maint/shadow/issues/1157","https://github.com/shadow-maint/shadow/releases/tag/4.4"],"description":"shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":3.6,"exploitabilityScore":1.1,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-56433","epss":0.04509,"percentile":0.89178,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-56433","cwe":"CWE-1188","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"shadow","version":"1:4.17.4-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-56433","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-login.defs-893ab677af71bedc","name":"login.defs","version":"1:4.17.4-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND GPL-1.0-only AND GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:login.defs:login.defs:1\\:4.17.4-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/login.defs@1%3A4.17.4-2?arch=all&distro=debian-13&upstream=shadow","upstreams":[{"name":"shadow"}]}},{"vulnerability":{"id":"CVE-2024-56433","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-56433","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":3.6,"exploitabilityScore":1.1,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-56433","epss":0.04509,"percentile":0.89178,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-56433","cwe":"CWE-1188","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":1.4879699999999998},"relatedVulnerabilities":[{"id":"CVE-2024-56433","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-56433","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241","https://github.com/shadow-maint/shadow/issues/1157","https://github.com/shadow-maint/shadow/releases/tag/4.4"],"description":"shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":3.6,"exploitabilityScore":1.1,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-56433","epss":0.04509,"percentile":0.89178,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-56433","cwe":"CWE-1188","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"shadow","version":"1:4.17.4-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-56433","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-passwd-83a4f25e33a63fb3","name":"passwd","version":"1:4.17.4-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND GPL-1.0-only AND GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:passwd:passwd:1\\:4.17.4-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/passwd@1%3A4.17.4-2?arch=arm64&distro=debian-13&upstream=shadow","upstreams":[{"name":"shadow"}]}},{"vulnerability":{"id":"CVE-2016-20012","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-20012","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product","cvss":[],"epss":[{"cve":"CVE-2016-20012","epss":0.14603,"percentile":0.94495,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-20012","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.73015},"relatedVulnerabilities":[{"id":"CVE-2016-20012","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-20012","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/openssh/openssh-portable/blob/d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd/auth2-pubkey.c#L261-L265","https://github.com/openssh/openssh-portable/pull/270","https://github.com/openssh/openssh-portable/pull/270#issuecomment-920577097","https://github.com/openssh/openssh-portable/pull/270#issuecomment-943909185","https://rushter.com/blog/public-ssh-keys/","https://security.netapp.com/advisory/ntap-20211014-0005/","https://utcc.utoronto.ca/~cks/space/blog/tech/SSHKeysAreInfoLeak","https://www.openwall.com/lists/oss-security/2018/08/24/1"],"description":"OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-20012","epss":0.14603,"percentile":0.94495,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-20012","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-20012","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2016-20012","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-20012","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product","cvss":[],"epss":[{"cve":"CVE-2016-20012","epss":0.14603,"percentile":0.94495,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-20012","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.73015},"relatedVulnerabilities":[{"id":"CVE-2016-20012","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-20012","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/openssh/openssh-portable/blob/d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd/auth2-pubkey.c#L261-L265","https://github.com/openssh/openssh-portable/pull/270","https://github.com/openssh/openssh-portable/pull/270#issuecomment-920577097","https://github.com/openssh/openssh-portable/pull/270#issuecomment-943909185","https://rushter.com/blog/public-ssh-keys/","https://security.netapp.com/advisory/ntap-20211014-0005/","https://utcc.utoronto.ca/~cks/space/blog/tech/SSHKeysAreInfoLeak","https://www.openwall.com/lists/oss-security/2018/08/24/1"],"description":"OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-20012","epss":0.14603,"percentile":0.94495,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-20012","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-20012","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2016-20012","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-20012","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product","cvss":[],"epss":[{"cve":"CVE-2016-20012","epss":0.14603,"percentile":0.94495,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-20012","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.73015},"relatedVulnerabilities":[{"id":"CVE-2016-20012","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-20012","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/openssh/openssh-portable/blob/d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd/auth2-pubkey.c#L261-L265","https://github.com/openssh/openssh-portable/pull/270","https://github.com/openssh/openssh-portable/pull/270#issuecomment-920577097","https://github.com/openssh/openssh-portable/pull/270#issuecomment-943909185","https://rushter.com/blog/public-ssh-keys/","https://security.netapp.com/advisory/ntap-20211014-0005/","https://utcc.utoronto.ca/~cks/space/blog/tech/SSHKeysAreInfoLeak","https://www.openwall.com/lists/oss-security/2018/08/24/1"],"description":"OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-20012","epss":0.14603,"percentile":0.94495,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-20012","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-20012","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2025-6069","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6069","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6069","epss":0.00864,"percentile":0.75166,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6069","cwe":"CWE-1333","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.40175999999999995},"relatedVulnerabilities":[{"id":"CVE-2025-6069","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6069","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/4455cbabf991e202185a25a631af206f60bbc949","https://github.com/python/cpython/commit/6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41","https://github.com/python/cpython/commit/8d1b3dfa09135affbbf27fb8babcf3c11415df49","https://github.com/python/cpython/commit/ab0893fd5c579d9cea30841680e6d35fc478afb5","https://github.com/python/cpython/commit/d851f8e258c7328814943e923a7df81bca15df4b","https://github.com/python/cpython/commit/f3c6f882cddc8dc30320d2e73edf019e201394fc","https://github.com/python/cpython/commit/fdc9d214c01cb4588f540cfa03726bbf2a33fc15","https://github.com/python/cpython/issues/135462","https://github.com/python/cpython/pull/135464","https://mail.python.org/archives/list/security-announce@python.org/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/"],"description":"The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6069","epss":0.00864,"percentile":0.75166,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6069","cwe":"CWE-1333","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6069","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-6069","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6069","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6069","epss":0.00864,"percentile":0.75166,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6069","cwe":"CWE-1333","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.40175999999999995},"relatedVulnerabilities":[{"id":"CVE-2025-6069","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6069","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/4455cbabf991e202185a25a631af206f60bbc949","https://github.com/python/cpython/commit/6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41","https://github.com/python/cpython/commit/8d1b3dfa09135affbbf27fb8babcf3c11415df49","https://github.com/python/cpython/commit/ab0893fd5c579d9cea30841680e6d35fc478afb5","https://github.com/python/cpython/commit/d851f8e258c7328814943e923a7df81bca15df4b","https://github.com/python/cpython/commit/f3c6f882cddc8dc30320d2e73edf019e201394fc","https://github.com/python/cpython/commit/fdc9d214c01cb4588f540cfa03726bbf2a33fc15","https://github.com/python/cpython/issues/135462","https://github.com/python/cpython/pull/135464","https://mail.python.org/archives/list/security-announce@python.org/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/"],"description":"The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6069","epss":0.00864,"percentile":0.75166,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6069","cwe":"CWE-1333","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6069","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-6069","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6069","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6069","epss":0.00864,"percentile":0.75166,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6069","cwe":"CWE-1333","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.40175999999999995},"relatedVulnerabilities":[{"id":"CVE-2025-6069","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6069","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/4455cbabf991e202185a25a631af206f60bbc949","https://github.com/python/cpython/commit/6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41","https://github.com/python/cpython/commit/8d1b3dfa09135affbbf27fb8babcf3c11415df49","https://github.com/python/cpython/commit/ab0893fd5c579d9cea30841680e6d35fc478afb5","https://github.com/python/cpython/commit/d851f8e258c7328814943e923a7df81bca15df4b","https://github.com/python/cpython/commit/f3c6f882cddc8dc30320d2e73edf019e201394fc","https://github.com/python/cpython/commit/fdc9d214c01cb4588f540cfa03726bbf2a33fc15","https://github.com/python/cpython/issues/135462","https://github.com/python/cpython/pull/135464","https://mail.python.org/archives/list/security-announce@python.org/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/"],"description":"The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6069","epss":0.00864,"percentile":0.75166,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6069","cwe":"CWE-1333","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6069","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-6069","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6069","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6069","epss":0.00864,"percentile":0.75166,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6069","cwe":"CWE-1333","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.40175999999999995},"relatedVulnerabilities":[{"id":"CVE-2025-6069","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6069","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/4455cbabf991e202185a25a631af206f60bbc949","https://github.com/python/cpython/commit/6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41","https://github.com/python/cpython/commit/8d1b3dfa09135affbbf27fb8babcf3c11415df49","https://github.com/python/cpython/commit/ab0893fd5c579d9cea30841680e6d35fc478afb5","https://github.com/python/cpython/commit/d851f8e258c7328814943e923a7df81bca15df4b","https://github.com/python/cpython/commit/f3c6f882cddc8dc30320d2e73edf019e201394fc","https://github.com/python/cpython/commit/fdc9d214c01cb4588f540cfa03726bbf2a33fc15","https://github.com/python/cpython/issues/135462","https://github.com/python/cpython/pull/135464","https://mail.python.org/archives/list/security-announce@python.org/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/"],"description":"The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6069","epss":0.00864,"percentile":0.75166,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6069","cwe":"CWE-1333","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6069","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2008-0456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-0456","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) \"406 Not Acceptable\" or (2) \"300 Multiple Choices\" HTTP response when the extension is omitted in a request for the file.","cvss":[],"epss":[{"cve":"CVE-2008-0456","epss":0.07643,"percentile":0.91897,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-0456","cwe":"CWE-74","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.38215000000000005},"relatedVulnerabilities":[{"id":"CVE-2008-0456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-0456","namespace":"nvd:cpe","severity":"Low","urls":["http://lists.apple.com/archives/security-announce/2009/May/msg00002.html","http://rhn.redhat.com/errata/RHSA-2013-0130.html","http://secunia.com/advisories/29348","http://secunia.com/advisories/35074","http://security.gentoo.org/glsa/glsa-200803-19.xml","http://securityreason.com/securityalert/3575","http://securitytracker.com/id?1019256","http://support.apple.com/kb/HT3549","http://www.mindedsecurity.com/MSA01150108.html","http://www.securityfocus.com/archive/1/486847/100/0/threaded","http://www.securityfocus.com/bid/27409","http://www.us-cert.gov/cas/techalerts/TA09-133A.html","http://www.vupen.com/english/advisories/2009/1297","https://exchange.xforce.ibmcloud.com/vulnerabilities/39893","https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"],"description":"CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) \"406 Not Acceptable\" or (2) \"300 Multiple Choices\" HTTP response when the extension is omitted in a request for the file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:P/A:N","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-0456","epss":0.07643,"percentile":0.91897,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-0456","cwe":"CWE-74","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-0456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-e442cca4d5089982","name":"apache2","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2:apache2:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2008-0456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-0456","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) \"406 Not Acceptable\" or (2) \"300 Multiple Choices\" HTTP response when the extension is omitted in a request for the file.","cvss":[],"epss":[{"cve":"CVE-2008-0456","epss":0.07643,"percentile":0.91897,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-0456","cwe":"CWE-74","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.38215000000000005},"relatedVulnerabilities":[{"id":"CVE-2008-0456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-0456","namespace":"nvd:cpe","severity":"Low","urls":["http://lists.apple.com/archives/security-announce/2009/May/msg00002.html","http://rhn.redhat.com/errata/RHSA-2013-0130.html","http://secunia.com/advisories/29348","http://secunia.com/advisories/35074","http://security.gentoo.org/glsa/glsa-200803-19.xml","http://securityreason.com/securityalert/3575","http://securitytracker.com/id?1019256","http://support.apple.com/kb/HT3549","http://www.mindedsecurity.com/MSA01150108.html","http://www.securityfocus.com/archive/1/486847/100/0/threaded","http://www.securityfocus.com/bid/27409","http://www.us-cert.gov/cas/techalerts/TA09-133A.html","http://www.vupen.com/english/advisories/2009/1297","https://exchange.xforce.ibmcloud.com/vulnerabilities/39893","https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"],"description":"CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) \"406 Not Acceptable\" or (2) \"300 Multiple Choices\" HTTP response when the extension is omitted in a request for the file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:P/A:N","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-0456","epss":0.07643,"percentile":0.91897,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-0456","cwe":"CWE-74","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-0456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-bin-1079264b7c765d23","name":"apache2-bin","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-bin@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2008-0456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-0456","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) \"406 Not Acceptable\" or (2) \"300 Multiple Choices\" HTTP response when the extension is omitted in a request for the file.","cvss":[],"epss":[{"cve":"CVE-2008-0456","epss":0.07643,"percentile":0.91897,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-0456","cwe":"CWE-74","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.38215000000000005},"relatedVulnerabilities":[{"id":"CVE-2008-0456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-0456","namespace":"nvd:cpe","severity":"Low","urls":["http://lists.apple.com/archives/security-announce/2009/May/msg00002.html","http://rhn.redhat.com/errata/RHSA-2013-0130.html","http://secunia.com/advisories/29348","http://secunia.com/advisories/35074","http://security.gentoo.org/glsa/glsa-200803-19.xml","http://securityreason.com/securityalert/3575","http://securitytracker.com/id?1019256","http://support.apple.com/kb/HT3549","http://www.mindedsecurity.com/MSA01150108.html","http://www.securityfocus.com/archive/1/486847/100/0/threaded","http://www.securityfocus.com/bid/27409","http://www.us-cert.gov/cas/techalerts/TA09-133A.html","http://www.vupen.com/english/advisories/2009/1297","https://exchange.xforce.ibmcloud.com/vulnerabilities/39893","https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"],"description":"CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) \"406 Not Acceptable\" or (2) \"300 Multiple Choices\" HTTP response when the extension is omitted in a request for the file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:P/A:N","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-0456","epss":0.07643,"percentile":0.91897,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-0456","cwe":"CWE-74","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-0456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-data-a25605bbf0c04fae","name":"apache2-data","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-data@2.4.66-1~deb13u2?arch=all&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2008-0456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-0456","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) \"406 Not Acceptable\" or (2) \"300 Multiple Choices\" HTTP response when the extension is omitted in a request for the file.","cvss":[],"epss":[{"cve":"CVE-2008-0456","epss":0.07643,"percentile":0.91897,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-0456","cwe":"CWE-74","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.38215000000000005},"relatedVulnerabilities":[{"id":"CVE-2008-0456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-0456","namespace":"nvd:cpe","severity":"Low","urls":["http://lists.apple.com/archives/security-announce/2009/May/msg00002.html","http://rhn.redhat.com/errata/RHSA-2013-0130.html","http://secunia.com/advisories/29348","http://secunia.com/advisories/35074","http://security.gentoo.org/glsa/glsa-200803-19.xml","http://securityreason.com/securityalert/3575","http://securitytracker.com/id?1019256","http://support.apple.com/kb/HT3549","http://www.mindedsecurity.com/MSA01150108.html","http://www.securityfocus.com/archive/1/486847/100/0/threaded","http://www.securityfocus.com/bid/27409","http://www.us-cert.gov/cas/techalerts/TA09-133A.html","http://www.vupen.com/english/advisories/2009/1297","https://exchange.xforce.ibmcloud.com/vulnerabilities/39893","https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"],"description":"CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) \"406 Not Acceptable\" or (2) \"300 Multiple Choices\" HTTP response when the extension is omitted in a request for the file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:P/A:N","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-0456","epss":0.07643,"percentile":0.91897,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-0456","cwe":"CWE-74","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-0456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-utils-6b7395e8b8084cf1","name":"apache2-utils","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-utils@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2017-17740","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-17740","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.","cvss":[],"epss":[{"cve":"CVE-2017-17740","epss":0.06138,"percentile":0.90841,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-17740","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.3069},"relatedVulnerabilities":[{"id":"CVE-2017-17740","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-17740","namespace":"nvd:cpe","severity":"High","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html","http://www.openldap.org/its/index.cgi/Incoming?id=8759","https://kc.mcafee.com/corporate/index?page=content&id=SB10365","https://www.oracle.com/security-alerts/cpuapr2022.html"],"description":"contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-17740","epss":0.06138,"percentile":0.90841,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-17740","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openldap","version":"2.6.10+dfsg-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-17740","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libldap-common-0c527d3d89610a10","name":"libldap-common","version":"2.6.10+dfsg-1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-BSD-3-clause-California AND LicenseRef-BSD-3-clause-variant AND LicenseRef-BSD-4-clause-California AND Beerware AND LicenseRef-Expat AND LicenseRef-Expat-ISC AND LicenseRef-Expat-UNM AND LicenseRef-F5 AND LicenseRef-FSF-unlimited AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-JCG AND LicenseRef-MIT-XC AND LicenseRef-NeoSoft-permissive AND LicenseRef-OpenLDAP-2.8 AND LicenseRef-UMich AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libldap-common:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap-common:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap_common:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap_common:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libldap-common@2.6.10%2Bdfsg-1?arch=all&distro=debian-13&upstream=openldap","upstreams":[{"name":"openldap"}]}},{"vulnerability":{"id":"CVE-2017-17740","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-17740","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.","cvss":[],"epss":[{"cve":"CVE-2017-17740","epss":0.06138,"percentile":0.90841,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-17740","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.3069},"relatedVulnerabilities":[{"id":"CVE-2017-17740","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-17740","namespace":"nvd:cpe","severity":"High","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html","http://www.openldap.org/its/index.cgi/Incoming?id=8759","https://kc.mcafee.com/corporate/index?page=content&id=SB10365","https://www.oracle.com/security-alerts/cpuapr2022.html"],"description":"contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-17740","epss":0.06138,"percentile":0.90841,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-17740","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openldap","version":"2.6.10+dfsg-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-17740","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libldap2-c8352a83e37f53d5","name":"libldap2","version":"2.6.10+dfsg-1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-BSD-3-clause-California AND LicenseRef-BSD-3-clause-variant AND LicenseRef-BSD-4-clause-California AND Beerware AND LicenseRef-Expat AND LicenseRef-Expat-ISC AND LicenseRef-Expat-UNM AND LicenseRef-F5 AND LicenseRef-FSF-unlimited AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-JCG AND LicenseRef-MIT-XC AND LicenseRef-NeoSoft-permissive AND LicenseRef-OpenLDAP-2.8 AND LicenseRef-UMich AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libldap2:libldap2:2.6.10\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libldap2@2.6.10%2Bdfsg-1?arch=arm64&distro=debian-13&upstream=openldap","upstreams":[{"name":"openldap"}]}},{"vulnerability":{"id":"CVE-2008-3234","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-3234","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.","cvss":[],"epss":[{"cve":"CVE-2008-3234","epss":0.04643,"percentile":0.89327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-3234","cwe":"CWE-264","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.23215000000000002},"relatedVulnerabilities":[{"id":"CVE-2008-3234","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-3234","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/30276","https://exchange.xforce.ibmcloud.com/vulnerabilities/44037","https://www.exploit-db.com/exploits/6094"],"description":"sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":6.5,"exploitabilityScore":8,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-3234","epss":0.04643,"percentile":0.89327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-3234","cwe":"CWE-264","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-3234","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2008-3234","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-3234","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.","cvss":[],"epss":[{"cve":"CVE-2008-3234","epss":0.04643,"percentile":0.89327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-3234","cwe":"CWE-264","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.23215000000000002},"relatedVulnerabilities":[{"id":"CVE-2008-3234","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-3234","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/30276","https://exchange.xforce.ibmcloud.com/vulnerabilities/44037","https://www.exploit-db.com/exploits/6094"],"description":"sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":6.5,"exploitabilityScore":8,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-3234","epss":0.04643,"percentile":0.89327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-3234","cwe":"CWE-264","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-3234","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2008-3234","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-3234","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.","cvss":[],"epss":[{"cve":"CVE-2008-3234","epss":0.04643,"percentile":0.89327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-3234","cwe":"CWE-264","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.23215000000000002},"relatedVulnerabilities":[{"id":"CVE-2008-3234","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-3234","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/30276","https://exchange.xforce.ibmcloud.com/vulnerabilities/44037","https://www.exploit-db.com/exploits/6094"],"description":"sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":6.5,"exploitabilityScore":8,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-3234","epss":0.04643,"percentile":0.89327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-3234","cwe":"CWE-264","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-3234","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2011-3389","dataSource":"https://security-tracker.debian.org/tracker/CVE-2011-3389","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.","cvss":[],"epss":[{"cve":"CVE-2011-3389","epss":0.03933,"percentile":0.88364,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-3389","cwe":"CWE-326","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.19665},"relatedVulnerabilities":[{"id":"CVE-2011-3389","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2011-3389","namespace":"nvd:cpe","severity":"Medium","urls":["http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/","http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx","http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx","http://curl.haxx.se/docs/adv_20120124B.html","http://downloads.asterisk.org/pub/security/AST-2016-001.html","http://ekoparty.org/2011/juliano-rizzo.php","http://eprint.iacr.org/2004/111","http://eprint.iacr.org/2006/136","http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html","http://isc.sans.edu/diary/SSL+TLS+part+3+/11635","http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html","http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html","http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html","http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html","http://lists.apple.com/archives/security-announce/2012/May/msg00001.html","http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html","http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html","http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html","http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html","http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html","http://marc.info/?l=bugtraq&m=132750579901589&w=2","http://marc.info/?l=bugtraq&m=132872385320240&w=2","http://marc.info/?l=bugtraq&m=133365109612558&w=2","http://marc.info/?l=bugtraq&m=133728004526190&w=2","http://marc.info/?l=bugtraq&m=134254866602253&w=2","http://marc.info/?l=bugtraq&m=134254957702612&w=2","http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue","http://osvdb.org/74829","http://rhn.redhat.com/errata/RHSA-2012-0508.html","http://rhn.redhat.com/errata/RHSA-2013-1455.html","http://secunia.com/advisories/45791","http://secunia.com/advisories/47998","http://secunia.com/advisories/48256","http://secunia.com/advisories/48692","http://secunia.com/advisories/48915","http://secunia.com/advisories/48948","http://secunia.com/advisories/49198","http://secunia.com/advisories/55322","http://secunia.com/advisories/55350","http://secunia.com/advisories/55351","http://security.gentoo.org/glsa/glsa-201203-02.xml","http://security.gentoo.org/glsa/glsa-201406-32.xml","http://support.apple.com/kb/HT4999","http://support.apple.com/kb/HT5001","http://support.apple.com/kb/HT5130","http://support.apple.com/kb/HT5281","http://support.apple.com/kb/HT5501","http://support.apple.com/kb/HT6150","http://technet.microsoft.com/security/advisory/2588513","http://vnhacker.blogspot.com/2011/09/beast.html","http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf","http://www.debian.org/security/2012/dsa-2398","http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html","http://www.ibm.com/developerworks/java/jdk/alerts/","http://www.imperialviolet.org/2011/09/23/chromeandbeast.html","http://www.insecure.cl/Beast-SSL.rar","http://www.kb.cert.org/vuls/id/864643","http://www.mandriva.com/security/advisories?name=MDVSA-2012:058","http://www.opera.com/docs/changelogs/mac/1151/","http://www.opera.com/docs/changelogs/mac/1160/","http://www.opera.com/docs/changelogs/unix/1151/","http://www.opera.com/docs/changelogs/unix/1160/","http://www.opera.com/docs/changelogs/windows/1151/","http://www.opera.com/docs/changelogs/windows/1160/","http://www.opera.com/support/kb/view/1004/","http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html","http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html","http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html","http://www.redhat.com/support/errata/RHSA-2011-1384.html","http://www.redhat.com/support/errata/RHSA-2012-0006.html","http://www.securityfocus.com/bid/49388","http://www.securityfocus.com/bid/49778","http://www.securitytracker.com/id/1029190","http://www.securitytracker.com/id?1025997","http://www.securitytracker.com/id?1026103","http://www.securitytracker.com/id?1026704","http://www.ubuntu.com/usn/USN-1263-1","http://www.us-cert.gov/cas/techalerts/TA12-010A.html","https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail","https://bugzilla.novell.com/show_bug.cgi?id=719047","https://bugzilla.redhat.com/show_bug.cgi?id=737506","https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf","https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006","https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862","https://hermes.opensuse.org/messages/13154861","https://hermes.opensuse.org/messages/13155432","https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02","https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752"],"description":"The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2011-3389","epss":0.03933,"percentile":0.88364,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-3389","cwe":"CWE-326","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnutls28","version":"3.8.9-3+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2011-3389","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgnutls30t64-cd49605901c3ed69","name":"libgnutls30t64","version":"3.8.9-3+deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-3-Clause AND LicenseRef-CC0 AND LicenseRef-Expat AND FSFAP AND GFDL-1.3-only AND LicenseRef-GPL AND GPL-3.0-only AND LicenseRef-GPLv3- AND LicenseRef-LGPL AND LGPL-3.0-only AND LicenseRef-LGPLv2.1- AND LicenseRef-LGPLv3--or-GPLv2- AND LicenseRef-The"],"cpes":["cpe:2.3:a:libgnutls30t64:libgnutls30t64:3.8.9-3\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgnutls30t64@3.8.9-3%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=gnutls28","upstreams":[{"name":"gnutls28"}]}},{"vulnerability":{"id":"CVE-2025-8194","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8194","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.   This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8194","epss":0.00257,"percentile":0.49038,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8194","cwe":"CWE-835","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.19275},"relatedVulnerabilities":[{"id":"CVE-2025-8194","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8194","namespace":"nvd:cpe","severity":"High","urls":["https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","https://github.com/python/cpython/commit/57f5981d6260ed21266e0c26951b8564cc252bc2","https://github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38","https://github.com/python/cpython/commit/73f03e4808206f71eb6b92c579505a220942ef19","https://github.com/python/cpython/commit/b4ec17488eedec36d3c05fec127df71c0071f6cb","https://github.com/python/cpython/commit/c9d9f78feb1467e73fd29356c040bde1c104f29f","https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe","https://github.com/python/cpython/commit/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227","https://github.com/python/cpython/issues/130577","https://github.com/python/cpython/pull/137027","https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/","http://www.openwall.com/lists/oss-security/2025/07/28/1","http://www.openwall.com/lists/oss-security/2025/07/28/2","https://github.com/python/cpython/pull/57f5981d6260ed21266e0c26951b8564cc252bc2","https://github.com/python/cpython/pull/73f03e4808206f71eb6b92c579505a220942ef19","https://github.com/python/cpython/pull/b4ec17488eedec36d3c05fec127df71c0071f6cb","https://github.com/python/cpython/pull/c9d9f78feb1467e73fd29356c040bde1c104f29f","https://github.com/python/cpython/pull/cdae923ffe187d6ef916c0f665a31249619193fe","https://github.com/python/cpython/pull/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227"],"description":"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \n\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8194","epss":0.00257,"percentile":0.49038,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8194","cwe":"CWE-835","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8194","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-8194","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8194","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.   This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8194","epss":0.00257,"percentile":0.49038,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8194","cwe":"CWE-835","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.19275},"relatedVulnerabilities":[{"id":"CVE-2025-8194","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8194","namespace":"nvd:cpe","severity":"High","urls":["https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","https://github.com/python/cpython/commit/57f5981d6260ed21266e0c26951b8564cc252bc2","https://github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38","https://github.com/python/cpython/commit/73f03e4808206f71eb6b92c579505a220942ef19","https://github.com/python/cpython/commit/b4ec17488eedec36d3c05fec127df71c0071f6cb","https://github.com/python/cpython/commit/c9d9f78feb1467e73fd29356c040bde1c104f29f","https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe","https://github.com/python/cpython/commit/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227","https://github.com/python/cpython/issues/130577","https://github.com/python/cpython/pull/137027","https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/","http://www.openwall.com/lists/oss-security/2025/07/28/1","http://www.openwall.com/lists/oss-security/2025/07/28/2","https://github.com/python/cpython/pull/57f5981d6260ed21266e0c26951b8564cc252bc2","https://github.com/python/cpython/pull/73f03e4808206f71eb6b92c579505a220942ef19","https://github.com/python/cpython/pull/b4ec17488eedec36d3c05fec127df71c0071f6cb","https://github.com/python/cpython/pull/c9d9f78feb1467e73fd29356c040bde1c104f29f","https://github.com/python/cpython/pull/cdae923ffe187d6ef916c0f665a31249619193fe","https://github.com/python/cpython/pull/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227"],"description":"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \n\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8194","epss":0.00257,"percentile":0.49038,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8194","cwe":"CWE-835","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8194","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-8194","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8194","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.   This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8194","epss":0.00257,"percentile":0.49038,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8194","cwe":"CWE-835","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.19275},"relatedVulnerabilities":[{"id":"CVE-2025-8194","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8194","namespace":"nvd:cpe","severity":"High","urls":["https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","https://github.com/python/cpython/commit/57f5981d6260ed21266e0c26951b8564cc252bc2","https://github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38","https://github.com/python/cpython/commit/73f03e4808206f71eb6b92c579505a220942ef19","https://github.com/python/cpython/commit/b4ec17488eedec36d3c05fec127df71c0071f6cb","https://github.com/python/cpython/commit/c9d9f78feb1467e73fd29356c040bde1c104f29f","https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe","https://github.com/python/cpython/commit/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227","https://github.com/python/cpython/issues/130577","https://github.com/python/cpython/pull/137027","https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/","http://www.openwall.com/lists/oss-security/2025/07/28/1","http://www.openwall.com/lists/oss-security/2025/07/28/2","https://github.com/python/cpython/pull/57f5981d6260ed21266e0c26951b8564cc252bc2","https://github.com/python/cpython/pull/73f03e4808206f71eb6b92c579505a220942ef19","https://github.com/python/cpython/pull/b4ec17488eedec36d3c05fec127df71c0071f6cb","https://github.com/python/cpython/pull/c9d9f78feb1467e73fd29356c040bde1c104f29f","https://github.com/python/cpython/pull/cdae923ffe187d6ef916c0f665a31249619193fe","https://github.com/python/cpython/pull/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227"],"description":"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \n\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8194","epss":0.00257,"percentile":0.49038,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8194","cwe":"CWE-835","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8194","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-8194","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8194","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.   This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8194","epss":0.00257,"percentile":0.49038,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8194","cwe":"CWE-835","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.19275},"relatedVulnerabilities":[{"id":"CVE-2025-8194","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8194","namespace":"nvd:cpe","severity":"High","urls":["https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","https://github.com/python/cpython/commit/57f5981d6260ed21266e0c26951b8564cc252bc2","https://github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38","https://github.com/python/cpython/commit/73f03e4808206f71eb6b92c579505a220942ef19","https://github.com/python/cpython/commit/b4ec17488eedec36d3c05fec127df71c0071f6cb","https://github.com/python/cpython/commit/c9d9f78feb1467e73fd29356c040bde1c104f29f","https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe","https://github.com/python/cpython/commit/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227","https://github.com/python/cpython/issues/130577","https://github.com/python/cpython/pull/137027","https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/","http://www.openwall.com/lists/oss-security/2025/07/28/1","http://www.openwall.com/lists/oss-security/2025/07/28/2","https://github.com/python/cpython/pull/57f5981d6260ed21266e0c26951b8564cc252bc2","https://github.com/python/cpython/pull/73f03e4808206f71eb6b92c579505a220942ef19","https://github.com/python/cpython/pull/b4ec17488eedec36d3c05fec127df71c0071f6cb","https://github.com/python/cpython/pull/c9d9f78feb1467e73fd29356c040bde1c104f29f","https://github.com/python/cpython/pull/cdae923ffe187d6ef916c0f665a31249619193fe","https://github.com/python/cpython/pull/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227"],"description":"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \n\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8194","epss":0.00257,"percentile":0.49038,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8194","cwe":"CWE-835","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8194","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2005-2541","dataSource":"https://security-tracker.debian.org/tracker/CVE-2005-2541","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.","cvss":[],"epss":[{"cve":"CVE-2005-2541","epss":0.03763,"percentile":0.88075,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2005-2541","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.18814999999999998},"relatedVulnerabilities":[{"id":"CVE-2005-2541","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2005-2541","namespace":"nvd:cpe","severity":"High","urls":["http://marc.info/?l=bugtraq&m=112327628230258&w=2","https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E"],"description":"Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","metrics":{"baseScore":10,"exploitabilityScore":10,"impactScore":10.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2005-2541","epss":0.03763,"percentile":0.88075,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2005-2541","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"tar","version":"1.35+dfsg-3.1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2005-2541","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-tar-44ddb5684c898749","name":"tar","version":"1.35+dfsg-3.1","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:tar:tar:1.35\\+dfsg-3.1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/tar@1.35%2Bdfsg-3.1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2007-0086","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-0086","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.  NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal","cvss":[],"epss":[{"cve":"CVE-2007-0086","epss":0.033,"percentile":0.87271,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-0086","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.165},"relatedVulnerabilities":[{"id":"CVE-2007-0086","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-0086","namespace":"nvd:cpe","severity":"High","urls":["http://osvdb.org/33456","http://www.securityfocus.com/archive/1/455833/100/0/threaded","http://www.securityfocus.com/archive/1/455879/100/0/threaded","http://www.securityfocus.com/archive/1/455882/100/0/threaded","http://www.securityfocus.com/archive/1/455920/100/0/threaded"],"description":"The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.  NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.8,"exploitabilityScore":10,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-0086","epss":0.033,"percentile":0.87271,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-0086","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-0086","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-e442cca4d5089982","name":"apache2","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2:apache2:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2007-0086","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-0086","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.  NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal","cvss":[],"epss":[{"cve":"CVE-2007-0086","epss":0.033,"percentile":0.87271,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-0086","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.165},"relatedVulnerabilities":[{"id":"CVE-2007-0086","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-0086","namespace":"nvd:cpe","severity":"High","urls":["http://osvdb.org/33456","http://www.securityfocus.com/archive/1/455833/100/0/threaded","http://www.securityfocus.com/archive/1/455879/100/0/threaded","http://www.securityfocus.com/archive/1/455882/100/0/threaded","http://www.securityfocus.com/archive/1/455920/100/0/threaded"],"description":"The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.  NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.8,"exploitabilityScore":10,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-0086","epss":0.033,"percentile":0.87271,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-0086","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-0086","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-bin-1079264b7c765d23","name":"apache2-bin","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-bin@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2007-0086","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-0086","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.  NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal","cvss":[],"epss":[{"cve":"CVE-2007-0086","epss":0.033,"percentile":0.87271,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-0086","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.165},"relatedVulnerabilities":[{"id":"CVE-2007-0086","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-0086","namespace":"nvd:cpe","severity":"High","urls":["http://osvdb.org/33456","http://www.securityfocus.com/archive/1/455833/100/0/threaded","http://www.securityfocus.com/archive/1/455879/100/0/threaded","http://www.securityfocus.com/archive/1/455882/100/0/threaded","http://www.securityfocus.com/archive/1/455920/100/0/threaded"],"description":"The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.  NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.8,"exploitabilityScore":10,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-0086","epss":0.033,"percentile":0.87271,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-0086","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-0086","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-data-a25605bbf0c04fae","name":"apache2-data","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-data@2.4.66-1~deb13u2?arch=all&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2007-0086","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-0086","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.  NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal","cvss":[],"epss":[{"cve":"CVE-2007-0086","epss":0.033,"percentile":0.87271,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-0086","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.165},"relatedVulnerabilities":[{"id":"CVE-2007-0086","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-0086","namespace":"nvd:cpe","severity":"High","urls":["http://osvdb.org/33456","http://www.securityfocus.com/archive/1/455833/100/0/threaded","http://www.securityfocus.com/archive/1/455879/100/0/threaded","http://www.securityfocus.com/archive/1/455882/100/0/threaded","http://www.securityfocus.com/archive/1/455920/100/0/threaded"],"description":"The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.  NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.8,"exploitabilityScore":10,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-0086","epss":0.033,"percentile":0.87271,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-0086","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-0086","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-utils-6b7395e8b8084cf1","name":"apache2-utils","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-utils@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2018-15919","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-15919","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","cvss":[],"epss":[{"cve":"CVE-2018-15919","epss":0.02073,"percentile":0.84019,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.10364999999999999},"relatedVulnerabilities":[{"id":"CVE-2018-15919","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-15919","namespace":"nvd:cpe","severity":"Medium","urls":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/"],"description":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-15919","epss":0.02073,"percentile":0.84019,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-15919","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2018-15919","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-15919","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","cvss":[],"epss":[{"cve":"CVE-2018-15919","epss":0.02073,"percentile":0.84019,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.10364999999999999},"relatedVulnerabilities":[{"id":"CVE-2018-15919","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-15919","namespace":"nvd:cpe","severity":"Medium","urls":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/"],"description":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-15919","epss":0.02073,"percentile":0.84019,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-15919","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2018-15919","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-15919","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","cvss":[],"epss":[{"cve":"CVE-2018-15919","epss":0.02073,"percentile":0.84019,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.10364999999999999},"relatedVulnerabilities":[{"id":"CVE-2018-15919","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-15919","namespace":"nvd:cpe","severity":"Medium","urls":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/"],"description":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-15919","epss":0.02073,"percentile":0.84019,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-15919","cwe":"CWE-200","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-15919","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2003-1581","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1581","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[],"epss":[{"cve":"CVE-2003-1581","epss":0.01975,"percentile":0.83628,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1581","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.09875},"relatedVulnerabilities":[{"id":"CVE-2003-1581","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1581","namespace":"nvd:cpe","severity":"Low","urls":["http://www.securityfocus.com/archive/1/313867"],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:P/A:N","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1581","epss":0.01975,"percentile":0.83628,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1581","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1581","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-e442cca4d5089982","name":"apache2","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2:apache2:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2003-1581","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1581","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[],"epss":[{"cve":"CVE-2003-1581","epss":0.01975,"percentile":0.83628,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1581","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.09875},"relatedVulnerabilities":[{"id":"CVE-2003-1581","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1581","namespace":"nvd:cpe","severity":"Low","urls":["http://www.securityfocus.com/archive/1/313867"],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:P/A:N","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1581","epss":0.01975,"percentile":0.83628,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1581","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1581","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-bin-1079264b7c765d23","name":"apache2-bin","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-bin@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2003-1581","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1581","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[],"epss":[{"cve":"CVE-2003-1581","epss":0.01975,"percentile":0.83628,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1581","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.09875},"relatedVulnerabilities":[{"id":"CVE-2003-1581","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1581","namespace":"nvd:cpe","severity":"Low","urls":["http://www.securityfocus.com/archive/1/313867"],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:P/A:N","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1581","epss":0.01975,"percentile":0.83628,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1581","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1581","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-data-a25605bbf0c04fae","name":"apache2-data","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-data@2.4.66-1~deb13u2?arch=all&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2003-1581","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1581","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[],"epss":[{"cve":"CVE-2003-1581","epss":0.01975,"percentile":0.83628,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1581","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.09875},"relatedVulnerabilities":[{"id":"CVE-2003-1581","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1581","namespace":"nvd:cpe","severity":"Low","urls":["http://www.securityfocus.com/archive/1/313867"],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:P/A:N","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1581","epss":0.01975,"percentile":0.83628,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1581","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1581","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-utils-6b7395e8b8084cf1","name":"apache2-utils","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-utils@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2015-3276","dataSource":"https://security-tracker.debian.org/tracker/CVE-2015-3276","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.","cvss":[],"epss":[{"cve":"CVE-2015-3276","epss":0.01912,"percentile":0.83369,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.09560000000000002},"relatedVulnerabilities":[{"id":"CVE-2015-3276","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2015-3276","namespace":"nvd:cpe","severity":"High","urls":["http://rhn.redhat.com/errata/RHSA-2015-2131.html","http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html","http://www.securitytracker.com/id/1034221","https://bugzilla.redhat.com/show_bug.cgi?id=1238322"],"description":"The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2015-3276","epss":0.01912,"percentile":0.83369,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openldap","version":"2.6.10+dfsg-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2015-3276","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libldap-common-0c527d3d89610a10","name":"libldap-common","version":"2.6.10+dfsg-1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-BSD-3-clause-California AND LicenseRef-BSD-3-clause-variant AND LicenseRef-BSD-4-clause-California AND Beerware AND LicenseRef-Expat AND LicenseRef-Expat-ISC AND LicenseRef-Expat-UNM AND LicenseRef-F5 AND LicenseRef-FSF-unlimited AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-JCG AND LicenseRef-MIT-XC AND LicenseRef-NeoSoft-permissive AND LicenseRef-OpenLDAP-2.8 AND LicenseRef-UMich AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libldap-common:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap-common:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap_common:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap_common:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libldap-common@2.6.10%2Bdfsg-1?arch=all&distro=debian-13&upstream=openldap","upstreams":[{"name":"openldap"}]}},{"vulnerability":{"id":"CVE-2015-3276","dataSource":"https://security-tracker.debian.org/tracker/CVE-2015-3276","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.","cvss":[],"epss":[{"cve":"CVE-2015-3276","epss":0.01912,"percentile":0.83369,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.09560000000000002},"relatedVulnerabilities":[{"id":"CVE-2015-3276","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2015-3276","namespace":"nvd:cpe","severity":"High","urls":["http://rhn.redhat.com/errata/RHSA-2015-2131.html","http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html","http://www.securitytracker.com/id/1034221","https://bugzilla.redhat.com/show_bug.cgi?id=1238322"],"description":"The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2015-3276","epss":0.01912,"percentile":0.83369,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openldap","version":"2.6.10+dfsg-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2015-3276","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libldap2-c8352a83e37f53d5","name":"libldap2","version":"2.6.10+dfsg-1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-BSD-3-clause-California AND LicenseRef-BSD-3-clause-variant AND LicenseRef-BSD-4-clause-California AND Beerware AND LicenseRef-Expat AND LicenseRef-Expat-ISC AND LicenseRef-Expat-UNM AND LicenseRef-F5 AND LicenseRef-FSF-unlimited AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-JCG AND LicenseRef-MIT-XC AND LicenseRef-NeoSoft-permissive AND LicenseRef-OpenLDAP-2.8 AND LicenseRef-UMich AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libldap2:libldap2:2.6.10\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libldap2@2.6.10%2Bdfsg-1?arch=arm64&distro=debian-13&upstream=openldap","upstreams":[{"name":"openldap"}]}},{"vulnerability":{"id":"CVE-2025-12084","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-12084","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12084","epss":0.00176,"percentile":0.38724,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12084","cwe":"CWE-407","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.09064},"relatedVulnerabilities":[{"id":"CVE-2025-12084","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-12084","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0","https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4","https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437","https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af","https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273","https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907","https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d","https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8","https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8","https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0","https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964","https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53","https://github.com/python/cpython/issues/142145","https://github.com/python/cpython/pull/142146"],"description":"When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12084","epss":0.00176,"percentile":0.38724,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12084","cwe":"CWE-407","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-12084","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-12084","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-12084","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12084","epss":0.00176,"percentile":0.38724,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12084","cwe":"CWE-407","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.09064},"relatedVulnerabilities":[{"id":"CVE-2025-12084","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-12084","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0","https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4","https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437","https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af","https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273","https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907","https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d","https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8","https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8","https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0","https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964","https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53","https://github.com/python/cpython/issues/142145","https://github.com/python/cpython/pull/142146"],"description":"When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12084","epss":0.00176,"percentile":0.38724,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12084","cwe":"CWE-407","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-12084","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-12084","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-12084","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12084","epss":0.00176,"percentile":0.38724,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12084","cwe":"CWE-407","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.09064},"relatedVulnerabilities":[{"id":"CVE-2025-12084","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-12084","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0","https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4","https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437","https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af","https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273","https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907","https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d","https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8","https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8","https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0","https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964","https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53","https://github.com/python/cpython/issues/142145","https://github.com/python/cpython/pull/142146"],"description":"When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12084","epss":0.00176,"percentile":0.38724,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12084","cwe":"CWE-407","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-12084","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-12084","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-12084","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12084","epss":0.00176,"percentile":0.38724,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12084","cwe":"CWE-407","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.09064},"relatedVulnerabilities":[{"id":"CVE-2025-12084","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-12084","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0","https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4","https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437","https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af","https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273","https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907","https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d","https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8","https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8","https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0","https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964","https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53","https://github.com/python/cpython/issues/142145","https://github.com/python/cpython/pull/142146"],"description":"When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12084","epss":0.00176,"percentile":0.38724,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12084","cwe":"CWE-407","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-12084","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-0672","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0672","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0672","epss":0.00158,"percentile":0.36259,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0672","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0869},"relatedVulnerabilities":[{"id":"CVE-2026-0672","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0672","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172","https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440","https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d","https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca","https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70","https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85","https://github.com/python/cpython/issues/143919","https://github.com/python/cpython/pull/143920","https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/"],"description":"When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0672","epss":0.00158,"percentile":0.36259,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0672","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0672","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-0672","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0672","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0672","epss":0.00158,"percentile":0.36259,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0672","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0869},"relatedVulnerabilities":[{"id":"CVE-2026-0672","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0672","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172","https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440","https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d","https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca","https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70","https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85","https://github.com/python/cpython/issues/143919","https://github.com/python/cpython/pull/143920","https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/"],"description":"When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0672","epss":0.00158,"percentile":0.36259,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0672","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0672","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-0672","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0672","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0672","epss":0.00158,"percentile":0.36259,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0672","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0869},"relatedVulnerabilities":[{"id":"CVE-2026-0672","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0672","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172","https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440","https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d","https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca","https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70","https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85","https://github.com/python/cpython/issues/143919","https://github.com/python/cpython/pull/143920","https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/"],"description":"When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0672","epss":0.00158,"percentile":0.36259,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0672","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0672","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-0672","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0672","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0672","epss":0.00158,"percentile":0.36259,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0672","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0869},"relatedVulnerabilities":[{"id":"CVE-2026-0672","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0672","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172","https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440","https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d","https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca","https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70","https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85","https://github.com/python/cpython/issues/143919","https://github.com/python/cpython/pull/143920","https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/"],"description":"When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0672","epss":0.00158,"percentile":0.36259,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0672","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0672","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2021-31879","dataSource":"https://security-tracker.debian.org/tracker/CVE-2021-31879","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","metrics":{"baseScore":6.1,"exploitabilityScore":2.9,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-31879","epss":0.0015,"percentile":0.35217,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-31879","cwe":"CWE-601","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.08324999999999999},"relatedVulnerabilities":[{"id":"CVE-2021-31879","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-31879","namespace":"nvd:cpe","severity":"Medium","urls":["https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html","https://security.netapp.com/advisory/ntap-20210618-0002/"],"description":"GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","metrics":{"baseScore":6.1,"exploitabilityScore":2.9,"impactScore":2.8},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:N","metrics":{"baseScore":5.8,"exploitabilityScore":8.6,"impactScore":5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-31879","epss":0.0015,"percentile":0.35217,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-31879","cwe":"CWE-601","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"wget","version":"1.25.0-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2021-31879","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-wget-687c8f5ada52a50a","name":"wget","version":"1.25.0-2","type":"deb","locations":null,"language":"","licenses":["GFDL-1.2-only AND GPL-3.0-only"],"cpes":["cpe:2.3:a:wget:wget:1.25.0-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/wget@1.25.0-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2020-14145","dataSource":"https://security-tracker.debian.org/tracker/CVE-2020-14145","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.","cvss":[],"epss":[{"cve":"CVE-2020-14145","epss":0.01562,"percentile":0.81561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0781},"relatedVulnerabilities":[{"id":"CVE-2020-14145","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2020-14145","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.openwall.com/lists/oss-security/2020/12/02/1","https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d","https://docs.ssh-mitm.at/CVE-2020-14145.html","https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1","https://github.com/ssh-mitm/ssh-mitm/blob/master/ssh_proxy_server/plugins/session/cve202014145.py","https://security.gentoo.org/glsa/202105-35","https://security.netapp.com/advisory/ntap-20200709-0004/","https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/"],"description":"The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-14145","epss":0.01562,"percentile":0.81561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2020-14145","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2020-14145","dataSource":"https://security-tracker.debian.org/tracker/CVE-2020-14145","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.","cvss":[],"epss":[{"cve":"CVE-2020-14145","epss":0.01562,"percentile":0.81561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0781},"relatedVulnerabilities":[{"id":"CVE-2020-14145","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2020-14145","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.openwall.com/lists/oss-security/2020/12/02/1","https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d","https://docs.ssh-mitm.at/CVE-2020-14145.html","https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1","https://github.com/ssh-mitm/ssh-mitm/blob/master/ssh_proxy_server/plugins/session/cve202014145.py","https://security.gentoo.org/glsa/202105-35","https://security.netapp.com/advisory/ntap-20200709-0004/","https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/"],"description":"The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-14145","epss":0.01562,"percentile":0.81561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2020-14145","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2020-14145","dataSource":"https://security-tracker.debian.org/tracker/CVE-2020-14145","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.","cvss":[],"epss":[{"cve":"CVE-2020-14145","epss":0.01562,"percentile":0.81561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0781},"relatedVulnerabilities":[{"id":"CVE-2020-14145","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2020-14145","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.openwall.com/lists/oss-security/2020/12/02/1","https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d","https://docs.ssh-mitm.at/CVE-2020-14145.html","https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1","https://github.com/ssh-mitm/ssh-mitm/blob/master/ssh_proxy_server/plugins/session/cve202014145.py","https://security.gentoo.org/glsa/202105-35","https://security.netapp.com/advisory/ntap-20200709-0004/","https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/"],"description":"The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-14145","epss":0.01562,"percentile":0.81561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2020-14145","cwe":"CWE-203","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2020-14145","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2011-3374","dataSource":"https://security-tracker.debian.org/tracker/CVE-2011-3374","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.","cvss":[],"epss":[{"cve":"CVE-2011-3374","epss":0.01509,"percentile":0.81263,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-3374","cwe":"CWE-347","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.07544999999999999},"relatedVulnerabilities":[{"id":"CVE-2011-3374","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2011-3374","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/cve-2011-3374","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480","https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html","https://seclists.org/fulldisclosure/2011/Sep/221","https://security-tracker.debian.org/tracker/CVE-2011-3374","https://snyk.io/vuln/SNYK-LINUX-APT-116518","https://ubuntu.com/security/CVE-2011-3374"],"description":"It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2011-3374","epss":0.01509,"percentile":0.81263,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-3374","cwe":"CWE-347","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apt","version":"3.0.3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2011-3374","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apt-facf68475984aa8d","name":"apt","version":"3.0.3","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND curl"],"cpes":["cpe:2.3:a:apt:apt:3.0.3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apt@3.0.3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2011-3374","dataSource":"https://security-tracker.debian.org/tracker/CVE-2011-3374","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.","cvss":[],"epss":[{"cve":"CVE-2011-3374","epss":0.01509,"percentile":0.81263,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-3374","cwe":"CWE-347","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.07544999999999999},"relatedVulnerabilities":[{"id":"CVE-2011-3374","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2011-3374","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/cve-2011-3374","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480","https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html","https://seclists.org/fulldisclosure/2011/Sep/221","https://security-tracker.debian.org/tracker/CVE-2011-3374","https://snyk.io/vuln/SNYK-LINUX-APT-116518","https://ubuntu.com/security/CVE-2011-3374"],"description":"It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2011-3374","epss":0.01509,"percentile":0.81263,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-3374","cwe":"CWE-347","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apt","version":"3.0.3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2011-3374","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apt-utils-7120f7439cdaabdf","name":"apt-utils","version":"3.0.3","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND curl"],"cpes":["cpe:2.3:a:apt-utils:apt-utils:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:apt-utils:apt_utils:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:apt_utils:apt-utils:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:apt_utils:apt_utils:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:apt:apt-utils:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:apt:apt_utils:3.0.3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apt-utils@3.0.3?arch=arm64&distro=debian-13&upstream=apt","upstreams":[{"name":"apt"}]}},{"vulnerability":{"id":"CVE-2011-3374","dataSource":"https://security-tracker.debian.org/tracker/CVE-2011-3374","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.","cvss":[],"epss":[{"cve":"CVE-2011-3374","epss":0.01509,"percentile":0.81263,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-3374","cwe":"CWE-347","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.07544999999999999},"relatedVulnerabilities":[{"id":"CVE-2011-3374","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2011-3374","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/cve-2011-3374","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480","https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html","https://seclists.org/fulldisclosure/2011/Sep/221","https://security-tracker.debian.org/tracker/CVE-2011-3374","https://snyk.io/vuln/SNYK-LINUX-APT-116518","https://ubuntu.com/security/CVE-2011-3374"],"description":"It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2011-3374","epss":0.01509,"percentile":0.81263,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-3374","cwe":"CWE-347","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apt","version":"3.0.3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2011-3374","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libapt-pkg7.0-592151e20d065588","name":"libapt-pkg7.0","version":"3.0.3","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND curl"],"cpes":["cpe:2.3:a:libapt-pkg7.0:libapt-pkg7.0:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:libapt-pkg7.0:libapt_pkg7.0:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:libapt_pkg7.0:libapt-pkg7.0:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:libapt_pkg7.0:libapt_pkg7.0:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:libapt:libapt-pkg7.0:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:libapt:libapt_pkg7.0:3.0.3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libapt-pkg7.0@3.0.3?arch=arm64&distro=debian-13&upstream=apt","upstreams":[{"name":"apt"}]}},{"vulnerability":{"id":"CVE-2025-13836","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13836","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13836","epss":0.001,"percentile":0.2743,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13836","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.075},"relatedVulnerabilities":[{"id":"CVE-2025-13836","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13836","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628","https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15","https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155","https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5","https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0","https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c","https://github.com/python/cpython/issues/119451","https://github.com/python/cpython/pull/119454","https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/"],"description":"When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13836","epss":0.001,"percentile":0.2743,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13836","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13836","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-13836","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13836","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13836","epss":0.001,"percentile":0.2743,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13836","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.075},"relatedVulnerabilities":[{"id":"CVE-2025-13836","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13836","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628","https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15","https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155","https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5","https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0","https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c","https://github.com/python/cpython/issues/119451","https://github.com/python/cpython/pull/119454","https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/"],"description":"When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13836","epss":0.001,"percentile":0.2743,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13836","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13836","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-13836","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13836","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13836","epss":0.001,"percentile":0.2743,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13836","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.075},"relatedVulnerabilities":[{"id":"CVE-2025-13836","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13836","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628","https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15","https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155","https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5","https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0","https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c","https://github.com/python/cpython/issues/119451","https://github.com/python/cpython/pull/119454","https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/"],"description":"When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13836","epss":0.001,"percentile":0.2743,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13836","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13836","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-13836","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13836","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13836","epss":0.001,"percentile":0.2743,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13836","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.075},"relatedVulnerabilities":[{"id":"CVE-2025-13836","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13836","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628","https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15","https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155","https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5","https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0","https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c","https://github.com/python/cpython/issues/119451","https://github.com/python/cpython/pull/119454","https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/"],"description":"When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13836","epss":0.001,"percentile":0.2743,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13836","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13836","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2018-20796","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20796","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.","cvss":[],"epss":[{"cve":"CVE-2018-20796","epss":0.01492,"percentile":0.81139,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20796","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0746},"relatedVulnerabilities":[{"id":"CVE-2018-20796","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20796","namespace":"nvd:cpe","severity":"High","urls":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141","https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html","https://security.netapp.com/advisory/ntap-20190315-0002/","https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20796","epss":0.01492,"percentile":0.81139,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20796","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20796","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2018-20796","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20796","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.","cvss":[],"epss":[{"cve":"CVE-2018-20796","epss":0.01492,"percentile":0.81139,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20796","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0746},"relatedVulnerabilities":[{"id":"CVE-2018-20796","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20796","namespace":"nvd:cpe","severity":"High","urls":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141","https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html","https://security.netapp.com/advisory/ntap-20190315-0002/","https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20796","epss":0.01492,"percentile":0.81139,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20796","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20796","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2018-20796","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20796","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.","cvss":[],"epss":[{"cve":"CVE-2018-20796","epss":0.01492,"percentile":0.81139,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20796","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0746},"relatedVulnerabilities":[{"id":"CVE-2018-20796","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20796","namespace":"nvd:cpe","severity":"High","urls":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141","https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html","https://security.netapp.com/advisory/ntap-20190315-0002/","https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20796","epss":0.01492,"percentile":0.81139,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20796","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20796","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2018-20796","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20796","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.","cvss":[],"epss":[{"cve":"CVE-2018-20796","epss":0.01492,"percentile":0.81139,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20796","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0746},"relatedVulnerabilities":[{"id":"CVE-2018-20796","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20796","namespace":"nvd:cpe","severity":"High","urls":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141","https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html","https://security.netapp.com/advisory/ntap-20190315-0002/","https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20796","epss":0.01492,"percentile":0.81139,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20796","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20796","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-41411","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-41411","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41411","epss":0.00127,"percentile":0.31613,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41411","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.07366},"relatedVulnerabilities":[{"id":"CVE-2026-41411","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-41411","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb","https://github.com/vim/vim/releases/tag/v9.2.0357","https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8"],"description":"Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41411","epss":0.00127,"percentile":0.31613,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41411","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-41411","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-41411","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-41411","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41411","epss":0.00127,"percentile":0.31613,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41411","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.07366},"relatedVulnerabilities":[{"id":"CVE-2026-41411","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-41411","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb","https://github.com/vim/vim/releases/tag/v9.2.0357","https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8"],"description":"Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41411","epss":0.00127,"percentile":0.31613,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41411","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-41411","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-41411","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-41411","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41411","epss":0.00127,"percentile":0.31613,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41411","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.07366},"relatedVulnerabilities":[{"id":"CVE-2026-41411","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-41411","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb","https://github.com/vim/vim/releases/tag/v9.2.0357","https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8"],"description":"Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41411","epss":0.00127,"percentile":0.31613,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41411","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-41411","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-0865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0865","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"User-controlled header names and values containing newlines can allow injecting HTTP headers.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0865","epss":0.00132,"percentile":0.32327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0865","cwe":"CWE-74","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.07194},"relatedVulnerabilities":[{"id":"CVE-2026-0865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0865","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58","https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510","https://github.com/python/cpython/commit/286e3ac39984fe85a17f4ab39c64d382137aae5f","https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2","https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5","https://github.com/python/cpython/commit/66da7bf6fe7b81e3ecc9c0a25bd47d4616c8d1a6","https://github.com/python/cpython/commit/83ecd18779f286d872f68bfce175651e407d9fff","https://github.com/python/cpython/commit/8bb044d29310bb05d15086cdaa8bf64867d61a97","https://github.com/python/cpython/commit/bfba660085767f8c2d582134e9d511a85eda04cf","https://github.com/python/cpython/commit/c592227ffb48679af9845a45dbb0875d975bb219","https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995","https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211","https://github.com/python/cpython/issues/143916","https://github.com/python/cpython/pull/143917","https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/"],"description":"User-controlled header names and values containing newlines can allow injecting HTTP headers.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0865","epss":0.00132,"percentile":0.32327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0865","cwe":"CWE-74","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-0865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0865","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"User-controlled header names and values containing newlines can allow injecting HTTP headers.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0865","epss":0.00132,"percentile":0.32327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0865","cwe":"CWE-74","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.07194},"relatedVulnerabilities":[{"id":"CVE-2026-0865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0865","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58","https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510","https://github.com/python/cpython/commit/286e3ac39984fe85a17f4ab39c64d382137aae5f","https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2","https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5","https://github.com/python/cpython/commit/66da7bf6fe7b81e3ecc9c0a25bd47d4616c8d1a6","https://github.com/python/cpython/commit/83ecd18779f286d872f68bfce175651e407d9fff","https://github.com/python/cpython/commit/8bb044d29310bb05d15086cdaa8bf64867d61a97","https://github.com/python/cpython/commit/bfba660085767f8c2d582134e9d511a85eda04cf","https://github.com/python/cpython/commit/c592227ffb48679af9845a45dbb0875d975bb219","https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995","https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211","https://github.com/python/cpython/issues/143916","https://github.com/python/cpython/pull/143917","https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/"],"description":"User-controlled header names and values containing newlines can allow injecting HTTP headers.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0865","epss":0.00132,"percentile":0.32327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0865","cwe":"CWE-74","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-0865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0865","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"User-controlled header names and values containing newlines can allow injecting HTTP headers.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0865","epss":0.00132,"percentile":0.32327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0865","cwe":"CWE-74","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.07194},"relatedVulnerabilities":[{"id":"CVE-2026-0865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0865","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58","https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510","https://github.com/python/cpython/commit/286e3ac39984fe85a17f4ab39c64d382137aae5f","https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2","https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5","https://github.com/python/cpython/commit/66da7bf6fe7b81e3ecc9c0a25bd47d4616c8d1a6","https://github.com/python/cpython/commit/83ecd18779f286d872f68bfce175651e407d9fff","https://github.com/python/cpython/commit/8bb044d29310bb05d15086cdaa8bf64867d61a97","https://github.com/python/cpython/commit/bfba660085767f8c2d582134e9d511a85eda04cf","https://github.com/python/cpython/commit/c592227ffb48679af9845a45dbb0875d975bb219","https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995","https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211","https://github.com/python/cpython/issues/143916","https://github.com/python/cpython/pull/143917","https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/"],"description":"User-controlled header names and values containing newlines can allow injecting HTTP headers.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0865","epss":0.00132,"percentile":0.32327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0865","cwe":"CWE-74","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-0865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0865","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"User-controlled header names and values containing newlines can allow injecting HTTP headers.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0865","epss":0.00132,"percentile":0.32327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0865","cwe":"CWE-74","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.07194},"relatedVulnerabilities":[{"id":"CVE-2026-0865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0865","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58","https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510","https://github.com/python/cpython/commit/286e3ac39984fe85a17f4ab39c64d382137aae5f","https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2","https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5","https://github.com/python/cpython/commit/66da7bf6fe7b81e3ecc9c0a25bd47d4616c8d1a6","https://github.com/python/cpython/commit/83ecd18779f286d872f68bfce175651e407d9fff","https://github.com/python/cpython/commit/8bb044d29310bb05d15086cdaa8bf64867d61a97","https://github.com/python/cpython/commit/bfba660085767f8c2d582134e9d511a85eda04cf","https://github.com/python/cpython/commit/c592227ffb48679af9845a45dbb0875d975bb219","https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995","https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211","https://github.com/python/cpython/issues/143916","https://github.com/python/cpython/pull/143917","https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/"],"description":"User-controlled header names and values containing newlines can allow injecting HTTP headers.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0865","epss":0.00132,"percentile":0.32327,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0865","cwe":"CWE-74","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2023-39810","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-39810","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-39810","epss":0.00092,"percentile":0.25732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-39810","cwe":"CWE-22","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.07038000000000001},"relatedVulnerabilities":[{"id":"CVE-2023-39810","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-39810","namespace":"nvd:cpe","severity":"High","urls":["http://busybox.com","https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/","http://www.openwall.com/lists/oss-security/2025/04/23/1","http://www.openwall.com/lists/oss-security/2025/04/23/2","http://www.openwall.com/lists/oss-security/2025/04/23/3","http://www.openwall.com/lists/oss-security/2025/04/24/2"],"description":"An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-39810","epss":0.00092,"percentile":0.25732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-39810","cwe":"CWE-22","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6+b7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-39810","versionConstraint":"none (unknown)"}},{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-39810","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-busybox-53b4a72165e5bbad","name":"busybox","version":"1:1.37.0-6+b7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:busybox:busybox:1\\:1.37.0-6\\+b7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/busybox@1%3A1.37.0-6%2Bb7?arch=arm64&distro=debian-13&upstream=busybox%401%3A1.37.0-6","upstreams":[{"name":"busybox","version":"1:1.37.0-6"}]}},{"vulnerability":{"id":"CVE-2003-1307","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1307","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port.  NOTE: the PHP developer has disputed this vulnerability, saying \"The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP.","cvss":[],"epss":[{"cve":"CVE-2003-1307","epss":0.0124,"percentile":0.79318,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1307","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.062},"relatedVulnerabilities":[{"id":"CVE-2003-1307","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1307","namespace":"nvd:cpe","severity":"Medium","urls":["http://bugs.php.net/38915","http://hackerdom.ru/~dimmo/phpexpl.c","http://www.securityfocus.com/archive/1/348368","http://www.securityfocus.com/archive/1/449234/100/0/threaded","http://www.securityfocus.com/archive/1/449298/100/0/threaded","http://www.securityfocus.com/bid/9302"],"description":"The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port.  NOTE: the PHP developer has disputed this vulnerability, saying \"The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1307","epss":0.0124,"percentile":0.79318,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1307","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1307","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-e442cca4d5089982","name":"apache2","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2:apache2:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2003-1307","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1307","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port.  NOTE: the PHP developer has disputed this vulnerability, saying \"The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP.","cvss":[],"epss":[{"cve":"CVE-2003-1307","epss":0.0124,"percentile":0.79318,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1307","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.062},"relatedVulnerabilities":[{"id":"CVE-2003-1307","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1307","namespace":"nvd:cpe","severity":"Medium","urls":["http://bugs.php.net/38915","http://hackerdom.ru/~dimmo/phpexpl.c","http://www.securityfocus.com/archive/1/348368","http://www.securityfocus.com/archive/1/449234/100/0/threaded","http://www.securityfocus.com/archive/1/449298/100/0/threaded","http://www.securityfocus.com/bid/9302"],"description":"The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port.  NOTE: the PHP developer has disputed this vulnerability, saying \"The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1307","epss":0.0124,"percentile":0.79318,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1307","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1307","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-bin-1079264b7c765d23","name":"apache2-bin","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-bin@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2003-1307","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1307","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port.  NOTE: the PHP developer has disputed this vulnerability, saying \"The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP.","cvss":[],"epss":[{"cve":"CVE-2003-1307","epss":0.0124,"percentile":0.79318,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1307","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.062},"relatedVulnerabilities":[{"id":"CVE-2003-1307","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1307","namespace":"nvd:cpe","severity":"Medium","urls":["http://bugs.php.net/38915","http://hackerdom.ru/~dimmo/phpexpl.c","http://www.securityfocus.com/archive/1/348368","http://www.securityfocus.com/archive/1/449234/100/0/threaded","http://www.securityfocus.com/archive/1/449298/100/0/threaded","http://www.securityfocus.com/bid/9302"],"description":"The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port.  NOTE: the PHP developer has disputed this vulnerability, saying \"The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1307","epss":0.0124,"percentile":0.79318,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1307","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1307","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-data-a25605bbf0c04fae","name":"apache2-data","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-data@2.4.66-1~deb13u2?arch=all&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2003-1307","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1307","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port.  NOTE: the PHP developer has disputed this vulnerability, saying \"The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP.","cvss":[],"epss":[{"cve":"CVE-2003-1307","epss":0.0124,"percentile":0.79318,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1307","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.062},"relatedVulnerabilities":[{"id":"CVE-2003-1307","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1307","namespace":"nvd:cpe","severity":"Medium","urls":["http://bugs.php.net/38915","http://hackerdom.ru/~dimmo/phpexpl.c","http://www.securityfocus.com/archive/1/348368","http://www.securityfocus.com/archive/1/449234/100/0/threaded","http://www.securityfocus.com/archive/1/449298/100/0/threaded","http://www.securityfocus.com/bid/9302"],"description":"The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port.  NOTE: the PHP developer has disputed this vulnerability, saying \"The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1307","epss":0.0124,"percentile":0.79318,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1307","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1307","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-utils-6b7395e8b8084cf1","name":"apache2-utils","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-utils@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2017-13084","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-13084","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.","cvss":[],"epss":[{"cve":"CVE-2017-13084","epss":0.01225,"percentile":0.79205,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13084","cwe":"CWE-323","source":"cret@cert.org","type":"Secondary"},{"cve":"CVE-2017-13084","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.061250000000000006},"relatedVulnerabilities":[{"id":"CVE-2017-13084","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-13084","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt","http://www.kb.cert.org/vuls/id/228519","http://www.securityfocus.com/bid/101274","http://www.securitytracker.com/id/1039576","http://www.securitytracker.com/id/1039577","http://www.securitytracker.com/id/1039581","https://access.redhat.com/security/vulnerabilities/kracks","https://cert-portal.siemens.com/productcert/pdf/ssa-901333.pdf","https://security.gentoo.org/glsa/201711-03","https://support.lenovo.com/us/en/product_security/LEN-17420","https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa","https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt","https://www.krackattacks.com/"],"description":"Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":6.8,"exploitabilityScore":1.7,"impactScore":5.2},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:A/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.4,"exploitabilityScore":5.6,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-13084","epss":0.01225,"percentile":0.79205,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13084","cwe":"CWE-323","source":"cret@cert.org","type":"Secondary"},{"cve":"CVE-2017-13084","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"wpa","version":"2:2.10-24"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-13084","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-wpasupplicant-f998381dada0f060","name":"wpasupplicant","version":"2:2.10-24","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND GPL-2.0-only AND ISC AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:wpasupplicant:wpasupplicant:2\\:2.10-24:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/wpasupplicant@2%3A2.10-24?arch=arm64&distro=debian-13&upstream=wpa","upstreams":[{"name":"wpa"}]}},{"vulnerability":{"id":"CVE-2018-5709","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-5709","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.","cvss":[],"epss":[{"cve":"CVE-2018-5709","epss":0.01188,"percentile":0.78885,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-5709","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0594},"relatedVulnerabilities":[{"id":"CVE-2018-5709","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-5709","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow","https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"],"description":"An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-5709","epss":0.01188,"percentile":0.78885,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-5709","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-5709","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-krb5-locales-47c43824bf48a66c","name":"krb5-locales","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:krb5-locales:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5-locales:krb5_locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5_locales:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5_locales:krb5_locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5:krb5_locales:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/krb5-locales@1.21.3-5?arch=all&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2018-5709","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-5709","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.","cvss":[],"epss":[{"cve":"CVE-2018-5709","epss":0.01188,"percentile":0.78885,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-5709","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0594},"relatedVulnerabilities":[{"id":"CVE-2018-5709","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-5709","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow","https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"],"description":"An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-5709","epss":0.01188,"percentile":0.78885,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-5709","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-5709","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgssapi-krb5-2-f126828866b7e868","name":"libgssapi-krb5-2","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgssapi-krb5-2@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2018-5709","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-5709","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.","cvss":[],"epss":[{"cve":"CVE-2018-5709","epss":0.01188,"percentile":0.78885,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-5709","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0594},"relatedVulnerabilities":[{"id":"CVE-2018-5709","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-5709","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow","https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"],"description":"An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-5709","epss":0.01188,"percentile":0.78885,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-5709","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-5709","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libk5crypto3-83b2cd2d3fde8f6b","name":"libk5crypto3","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libk5crypto3:libk5crypto3:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libk5crypto3@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2018-5709","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-5709","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.","cvss":[],"epss":[{"cve":"CVE-2018-5709","epss":0.01188,"percentile":0.78885,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-5709","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0594},"relatedVulnerabilities":[{"id":"CVE-2018-5709","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-5709","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow","https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"],"description":"An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-5709","epss":0.01188,"percentile":0.78885,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-5709","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-5709","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libkrb5-3-2eb5875d5518f857","name":"libkrb5-3","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libkrb5-3:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5-3:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5_3:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5_3:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libkrb5-3@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2018-5709","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-5709","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.","cvss":[],"epss":[{"cve":"CVE-2018-5709","epss":0.01188,"percentile":0.78885,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-5709","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0594},"relatedVulnerabilities":[{"id":"CVE-2018-5709","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-5709","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow","https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"],"description":"An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-5709","epss":0.01188,"percentile":0.78885,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-5709","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-5709","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libkrb5support0-80b206ca5e07fd6c","name":"libkrb5support0","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libkrb5support0:libkrb5support0:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libkrb5support0@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2003-1580","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1580","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[],"epss":[{"cve":"CVE-2003-1580","epss":0.01178,"percentile":0.78807,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1580","cwe":"CWE-189","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.05890000000000001},"relatedVulnerabilities":[{"id":"CVE-2003-1580","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1580","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/archive/1/313867"],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1580","epss":0.01178,"percentile":0.78807,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1580","cwe":"CWE-189","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1580","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-e442cca4d5089982","name":"apache2","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2:apache2:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2003-1580","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1580","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[],"epss":[{"cve":"CVE-2003-1580","epss":0.01178,"percentile":0.78807,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1580","cwe":"CWE-189","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.05890000000000001},"relatedVulnerabilities":[{"id":"CVE-2003-1580","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1580","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/archive/1/313867"],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1580","epss":0.01178,"percentile":0.78807,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1580","cwe":"CWE-189","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1580","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-bin-1079264b7c765d23","name":"apache2-bin","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-bin@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2003-1580","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1580","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[],"epss":[{"cve":"CVE-2003-1580","epss":0.01178,"percentile":0.78807,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1580","cwe":"CWE-189","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.05890000000000001},"relatedVulnerabilities":[{"id":"CVE-2003-1580","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1580","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/archive/1/313867"],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1580","epss":0.01178,"percentile":0.78807,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1580","cwe":"CWE-189","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1580","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-data-a25605bbf0c04fae","name":"apache2-data","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-data@2.4.66-1~deb13u2?arch=all&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2003-1580","dataSource":"https://security-tracker.debian.org/tracker/CVE-2003-1580","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[],"epss":[{"cve":"CVE-2003-1580","epss":0.01178,"percentile":0.78807,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1580","cwe":"CWE-189","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.05890000000000001},"relatedVulnerabilities":[{"id":"CVE-2003-1580","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2003-1580","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/archive/1/313867"],"description":"The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an \"Inverse Lookup Log Corruption (ILLC)\" issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2003-1580","epss":0.01178,"percentile":0.78807,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2003-1580","cwe":"CWE-189","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2003-1580","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-utils-6b7395e8b8084cf1","name":"apache2-utils","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-utils@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2025-8291","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8291","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations.   Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8291","epss":0.00114,"percentile":0.29659,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8291","cwe":"CWE-1285","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.053009999999999995},"relatedVulnerabilities":[{"id":"CVE-2025-8291","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8291","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267","https://github.com/python/cpython/commit/1d29afb0d6218aa8fb5e1e4a6133a4778d89bb46","https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6","https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196","https://github.com/python/cpython/commit/8392b2f0d35678407d9ce7d95655a5b77de161b4","https://github.com/python/cpython/commit/bca11ae7d575d87ed93f5dd6a313be6246e3e388","https://github.com/python/cpython/commit/d11e69d6203080e3ec450446bfed0516727b85c3","https://github.com/python/cpython/issues/139700","https://github.com/python/cpython/pull/139702","https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/","https://github.com/google/security-research/security/advisories/GHSA-hhv7-p4pg-wm6p","https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2025-12.json"],"description":"The 'zipfile' module would not check the validity of the ZIP64 End of\nCentral Directory (EOCD) Locator record offset value would not be used to\nlocate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be\nassumed to be the previous record in the ZIP archive. This could be abused\nto create ZIP archives that are handled differently by the 'zipfile' module\ncompared to other ZIP implementations.\n\n\nRemediation maintains this behavior, but checks that the offset specified\nin the ZIP64 EOCD Locator record matches the expected value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8291","epss":0.00114,"percentile":0.29659,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8291","cwe":"CWE-1285","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8291","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-8291","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8291","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations.   Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8291","epss":0.00114,"percentile":0.29659,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8291","cwe":"CWE-1285","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.053009999999999995},"relatedVulnerabilities":[{"id":"CVE-2025-8291","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8291","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267","https://github.com/python/cpython/commit/1d29afb0d6218aa8fb5e1e4a6133a4778d89bb46","https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6","https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196","https://github.com/python/cpython/commit/8392b2f0d35678407d9ce7d95655a5b77de161b4","https://github.com/python/cpython/commit/bca11ae7d575d87ed93f5dd6a313be6246e3e388","https://github.com/python/cpython/commit/d11e69d6203080e3ec450446bfed0516727b85c3","https://github.com/python/cpython/issues/139700","https://github.com/python/cpython/pull/139702","https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/","https://github.com/google/security-research/security/advisories/GHSA-hhv7-p4pg-wm6p","https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2025-12.json"],"description":"The 'zipfile' module would not check the validity of the ZIP64 End of\nCentral Directory (EOCD) Locator record offset value would not be used to\nlocate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be\nassumed to be the previous record in the ZIP archive. This could be abused\nto create ZIP archives that are handled differently by the 'zipfile' module\ncompared to other ZIP implementations.\n\n\nRemediation maintains this behavior, but checks that the offset specified\nin the ZIP64 EOCD Locator record matches the expected value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8291","epss":0.00114,"percentile":0.29659,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8291","cwe":"CWE-1285","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8291","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-8291","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8291","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations.   Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8291","epss":0.00114,"percentile":0.29659,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8291","cwe":"CWE-1285","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.053009999999999995},"relatedVulnerabilities":[{"id":"CVE-2025-8291","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8291","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267","https://github.com/python/cpython/commit/1d29afb0d6218aa8fb5e1e4a6133a4778d89bb46","https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6","https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196","https://github.com/python/cpython/commit/8392b2f0d35678407d9ce7d95655a5b77de161b4","https://github.com/python/cpython/commit/bca11ae7d575d87ed93f5dd6a313be6246e3e388","https://github.com/python/cpython/commit/d11e69d6203080e3ec450446bfed0516727b85c3","https://github.com/python/cpython/issues/139700","https://github.com/python/cpython/pull/139702","https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/","https://github.com/google/security-research/security/advisories/GHSA-hhv7-p4pg-wm6p","https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2025-12.json"],"description":"The 'zipfile' module would not check the validity of the ZIP64 End of\nCentral Directory (EOCD) Locator record offset value would not be used to\nlocate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be\nassumed to be the previous record in the ZIP archive. This could be abused\nto create ZIP archives that are handled differently by the 'zipfile' module\ncompared to other ZIP implementations.\n\n\nRemediation maintains this behavior, but checks that the offset specified\nin the ZIP64 EOCD Locator record matches the expected value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8291","epss":0.00114,"percentile":0.29659,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8291","cwe":"CWE-1285","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8291","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-8291","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8291","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations.   Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8291","epss":0.00114,"percentile":0.29659,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8291","cwe":"CWE-1285","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.053009999999999995},"relatedVulnerabilities":[{"id":"CVE-2025-8291","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8291","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267","https://github.com/python/cpython/commit/1d29afb0d6218aa8fb5e1e4a6133a4778d89bb46","https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6","https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196","https://github.com/python/cpython/commit/8392b2f0d35678407d9ce7d95655a5b77de161b4","https://github.com/python/cpython/commit/bca11ae7d575d87ed93f5dd6a313be6246e3e388","https://github.com/python/cpython/commit/d11e69d6203080e3ec450446bfed0516727b85c3","https://github.com/python/cpython/issues/139700","https://github.com/python/cpython/pull/139702","https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/","https://github.com/google/security-research/security/advisories/GHSA-hhv7-p4pg-wm6p","https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2025-12.json"],"description":"The 'zipfile' module would not check the validity of the ZIP64 End of\nCentral Directory (EOCD) Locator record offset value would not be used to\nlocate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be\nassumed to be the previous record in the ZIP archive. This could be abused\nto create ZIP archives that are handled differently by the 'zipfile' module\ncompared to other ZIP implementations.\n\n\nRemediation maintains this behavior, but checks that the offset specified\nin the ZIP64 EOCD Locator record matches the expected value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8291","epss":0.00114,"percentile":0.29659,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8291","cwe":"CWE-1285","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8291","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-13151","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13151","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13151","epss":0.00062,"percentile":0.19163,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13151","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0465},"relatedVulnerabilities":[{"id":"CVE-2025-13151","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13151","namespace":"nvd:cpe","severity":"High","urls":["https://gitlab.com/gnutls/libtasn1","https://gitlab.com/gnutls/libtasn1/-/merge_requests/121","http://www.openwall.com/lists/oss-security/2026/01/08/5","https://www.kb.cert.org/vuls/id/271649"],"description":"Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13151","epss":0.00062,"percentile":0.19163,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13151","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libtasn1-6","version":"4.20.0-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13151","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libtasn1-6-d020168fb42cf685","name":"libtasn1-6","version":"4.20.0-2","type":"deb","locations":null,"language":"","licenses":["GFDL-1.3-only AND GPL-3.0-only AND LicenseRef-LGPL AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libtasn1-6:libtasn1-6:4.20.0-2:*:*:*:*:*:*:*","cpe:2.3:a:libtasn1-6:libtasn1_6:4.20.0-2:*:*:*:*:*:*:*","cpe:2.3:a:libtasn1_6:libtasn1-6:4.20.0-2:*:*:*:*:*:*:*","cpe:2.3:a:libtasn1_6:libtasn1_6:4.20.0-2:*:*:*:*:*:*:*","cpe:2.3:a:libtasn1:libtasn1-6:4.20.0-2:*:*:*:*:*:*:*","cpe:2.3:a:libtasn1:libtasn1_6:4.20.0-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libtasn1-6@4.20.0-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2008-4677","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-4677","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords.  NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating \"I'm assuming that they're using the same id and password on that unchanged hostname, deliberately.\"","cvss":[],"epss":[{"cve":"CVE-2008-4677","epss":0.00929,"percentile":0.76167,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4677","cwe":"CWE-255","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.04645},"relatedVulnerabilities":[{"id":"CVE-2008-4677","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-4677","namespace":"nvd:cpe","severity":"Medium","urls":["http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6","http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html","http://secunia.com/advisories/31464","http://secunia.com/advisories/34418","http://www.mandriva.com/security/advisories?name=MDVSA-2008:236","http://www.openwall.com/lists/oss-security/2008/10/06/4","http://www.openwall.com/lists/oss-security/2008/10/16/2","http://www.openwall.com/lists/oss-security/2008/10/20/2","http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html","http://www.securityfocus.com/archive/1/495432","http://www.securityfocus.com/archive/1/495436","http://www.securityfocus.com/bid/30670","http://www.vupen.com/english/advisories/2008/2379","https://bugzilla.redhat.com/show_bug.cgi?id=461750","https://exchange.xforce.ibmcloud.com/vulnerabilities/44419"],"description":"autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords.  NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating \"I'm assuming that they're using the same id and password on that unchanged hostname, deliberately.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-4677","epss":0.00929,"percentile":0.76167,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4677","cwe":"CWE-255","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-4677","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2008-4677","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-4677","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords.  NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating \"I'm assuming that they're using the same id and password on that unchanged hostname, deliberately.\"","cvss":[],"epss":[{"cve":"CVE-2008-4677","epss":0.00929,"percentile":0.76167,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4677","cwe":"CWE-255","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.04645},"relatedVulnerabilities":[{"id":"CVE-2008-4677","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-4677","namespace":"nvd:cpe","severity":"Medium","urls":["http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6","http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html","http://secunia.com/advisories/31464","http://secunia.com/advisories/34418","http://www.mandriva.com/security/advisories?name=MDVSA-2008:236","http://www.openwall.com/lists/oss-security/2008/10/06/4","http://www.openwall.com/lists/oss-security/2008/10/16/2","http://www.openwall.com/lists/oss-security/2008/10/20/2","http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html","http://www.securityfocus.com/archive/1/495432","http://www.securityfocus.com/archive/1/495436","http://www.securityfocus.com/bid/30670","http://www.vupen.com/english/advisories/2008/2379","https://bugzilla.redhat.com/show_bug.cgi?id=461750","https://exchange.xforce.ibmcloud.com/vulnerabilities/44419"],"description":"autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords.  NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating \"I'm assuming that they're using the same id and password on that unchanged hostname, deliberately.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-4677","epss":0.00929,"percentile":0.76167,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4677","cwe":"CWE-255","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-4677","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2008-4677","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-4677","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords.  NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating \"I'm assuming that they're using the same id and password on that unchanged hostname, deliberately.\"","cvss":[],"epss":[{"cve":"CVE-2008-4677","epss":0.00929,"percentile":0.76167,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4677","cwe":"CWE-255","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.04645},"relatedVulnerabilities":[{"id":"CVE-2008-4677","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-4677","namespace":"nvd:cpe","severity":"Medium","urls":["http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6","http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html","http://secunia.com/advisories/31464","http://secunia.com/advisories/34418","http://www.mandriva.com/security/advisories?name=MDVSA-2008:236","http://www.openwall.com/lists/oss-security/2008/10/06/4","http://www.openwall.com/lists/oss-security/2008/10/16/2","http://www.openwall.com/lists/oss-security/2008/10/20/2","http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html","http://www.securityfocus.com/archive/1/495432","http://www.securityfocus.com/archive/1/495436","http://www.securityfocus.com/bid/30670","http://www.vupen.com/english/advisories/2008/2379","https://bugzilla.redhat.com/show_bug.cgi?id=461750","https://exchange.xforce.ibmcloud.com/vulnerabilities/44419"],"description":"autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords.  NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating \"I'm assuming that they're using the same id and password on that unchanged hostname, deliberately.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-4677","epss":0.00929,"percentile":0.76167,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4677","cwe":"CWE-255","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-4677","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-5450","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5450","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5450","epss":0.00049,"percentile":0.15218,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5450","cwe":"CWE-122","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-5450","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.046060000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-5450","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5450","namespace":"nvd:cpe","severity":"Critical","urls":["https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"],"description":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5450","epss":0.00049,"percentile":0.15218,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5450","cwe":"CWE-122","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-5450","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5450","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-5450","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5450","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5450","epss":0.00049,"percentile":0.15218,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5450","cwe":"CWE-122","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-5450","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.046060000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-5450","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5450","namespace":"nvd:cpe","severity":"Critical","urls":["https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"],"description":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5450","epss":0.00049,"percentile":0.15218,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5450","cwe":"CWE-122","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-5450","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5450","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-5450","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5450","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5450","epss":0.00049,"percentile":0.15218,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5450","cwe":"CWE-122","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-5450","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.046060000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-5450","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5450","namespace":"nvd:cpe","severity":"Critical","urls":["https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"],"description":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5450","epss":0.00049,"percentile":0.15218,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5450","cwe":"CWE-122","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-5450","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5450","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-5450","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5450","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5450","epss":0.00049,"percentile":0.15218,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5450","cwe":"CWE-122","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-5450","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.046060000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-5450","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5450","namespace":"nvd:cpe","severity":"Critical","urls":["https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"],"description":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5450","epss":0.00049,"percentile":0.15218,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5450","cwe":"CWE-122","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-5450","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5450","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2025-15366","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15366","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15366","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15366","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.044145000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-15366","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15366","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45","https://github.com/python/cpython/issues/143921","https://github.com/python/cpython/pull/143922","https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/"],"description":"The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15366","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15366","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15366","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-15367","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15367","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15367","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15367","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.044145000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-15367","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15367","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7","https://github.com/python/cpython/issues/143923","https://github.com/python/cpython/pull/143924","https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/"],"description":"The poplib module, when passed a user-controlled command, can have\nadditional commands injected using newlines. Mitigation rejects commands\ncontaining control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15367","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15367","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15367","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-15366","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15366","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15366","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15366","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.044145000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-15366","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15366","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45","https://github.com/python/cpython/issues/143921","https://github.com/python/cpython/pull/143922","https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/"],"description":"The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15366","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15366","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15366","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-15367","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15367","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15367","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15367","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.044145000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-15367","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15367","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7","https://github.com/python/cpython/issues/143923","https://github.com/python/cpython/pull/143924","https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/"],"description":"The poplib module, when passed a user-controlled command, can have\nadditional commands injected using newlines. Mitigation rejects commands\ncontaining control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15367","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15367","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15367","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-15366","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15366","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15366","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15366","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.044145000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-15366","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15366","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45","https://github.com/python/cpython/issues/143921","https://github.com/python/cpython/pull/143922","https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/"],"description":"The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15366","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15366","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15366","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-15367","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15367","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15367","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15367","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.044145000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-15367","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15367","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7","https://github.com/python/cpython/issues/143923","https://github.com/python/cpython/pull/143924","https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/"],"description":"The poplib module, when passed a user-controlled command, can have\nadditional commands injected using newlines. Mitigation rejects commands\ncontaining control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15367","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15367","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15367","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-15366","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15366","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15366","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15366","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.044145000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-15366","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15366","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45","https://github.com/python/cpython/issues/143921","https://github.com/python/cpython/pull/143922","https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/"],"description":"The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15366","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15366","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15366","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-15367","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15367","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15367","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15367","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.044145000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-15367","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15367","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7","https://github.com/python/cpython/issues/143923","https://github.com/python/cpython/pull/143924","https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/"],"description":"The poplib module, when passed a user-controlled command, can have\nadditional commands injected using newlines. Mitigation rejects commands\ncontaining control characters.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15367","epss":0.00081,"percentile":0.23601,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15367","cwe":"CWE-77","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15367","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2019-1010025","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010025","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.","cvss":[],"epss":[{"cve":"CVE-2019-1010025","epss":0.00856,"percentile":0.7505,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010025","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0428},"relatedVulnerabilities":[{"id":"CVE-2019-1010025","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010025","namespace":"nvd:cpe","severity":"Medium","urls":["https://security-tracker.debian.org/tracker/CVE-2019-1010025","https://sourceware.org/bugzilla/show_bug.cgi?id=22853","https://support.f5.com/csp/article/K06046097","https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010025"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010025","epss":0.00856,"percentile":0.7505,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010025","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010025","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010025","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010025","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.","cvss":[],"epss":[{"cve":"CVE-2019-1010025","epss":0.00856,"percentile":0.7505,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010025","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0428},"relatedVulnerabilities":[{"id":"CVE-2019-1010025","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010025","namespace":"nvd:cpe","severity":"Medium","urls":["https://security-tracker.debian.org/tracker/CVE-2019-1010025","https://sourceware.org/bugzilla/show_bug.cgi?id=22853","https://support.f5.com/csp/article/K06046097","https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010025"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010025","epss":0.00856,"percentile":0.7505,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010025","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010025","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010025","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010025","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.","cvss":[],"epss":[{"cve":"CVE-2019-1010025","epss":0.00856,"percentile":0.7505,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010025","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0428},"relatedVulnerabilities":[{"id":"CVE-2019-1010025","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010025","namespace":"nvd:cpe","severity":"Medium","urls":["https://security-tracker.debian.org/tracker/CVE-2019-1010025","https://sourceware.org/bugzilla/show_bug.cgi?id=22853","https://support.f5.com/csp/article/K06046097","https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010025"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010025","epss":0.00856,"percentile":0.7505,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010025","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010025","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010025","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010025","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.","cvss":[],"epss":[{"cve":"CVE-2019-1010025","epss":0.00856,"percentile":0.7505,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010025","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0428},"relatedVulnerabilities":[{"id":"CVE-2019-1010025","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010025","namespace":"nvd:cpe","severity":"Medium","urls":["https://security-tracker.debian.org/tracker/CVE-2019-1010025","https://sourceware.org/bugzilla/show_bug.cgi?id=22853","https://support.f5.com/csp/article/K06046097","https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010025"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010025","epss":0.00856,"percentile":0.7505,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010025","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010025","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2024-52616","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-52616","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52616","epss":0.00083,"percentile":0.24111,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52616","cwe":"CWE-334","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.042745},"relatedVulnerabilities":[{"id":"CVE-2024-52616","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-52616","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2025:7437","https://access.redhat.com/security/cve/CVE-2024-52616","https://bugzilla.redhat.com/show_bug.cgi?id=2326429","https://github.com/avahi/avahi/pull/577"],"description":"A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52616","epss":0.00083,"percentile":0.24111,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52616","cwe":"CWE-334","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-52616","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-avahi-daemon-d209761e50802ac7","name":"avahi-daemon","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:avahi-daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi-daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi_daemon:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/avahi-daemon@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2024-52616","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-52616","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52616","epss":0.00083,"percentile":0.24111,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52616","cwe":"CWE-334","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.042745},"relatedVulnerabilities":[{"id":"CVE-2024-52616","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-52616","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2025:7437","https://access.redhat.com/security/cve/CVE-2024-52616","https://bugzilla.redhat.com/show_bug.cgi?id=2326429","https://github.com/avahi/avahi/pull/577"],"description":"A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52616","epss":0.00083,"percentile":0.24111,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52616","cwe":"CWE-334","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-52616","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common-data-5cdf5a55d2d34a04","name":"libavahi-common-data","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common-data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common-data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common_data:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common-data@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2024-52616","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-52616","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52616","epss":0.00083,"percentile":0.24111,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52616","cwe":"CWE-334","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.042745},"relatedVulnerabilities":[{"id":"CVE-2024-52616","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-52616","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2025:7437","https://access.redhat.com/security/cve/CVE-2024-52616","https://bugzilla.redhat.com/show_bug.cgi?id=2326429","https://github.com/avahi/avahi/pull/577"],"description":"A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52616","epss":0.00083,"percentile":0.24111,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52616","cwe":"CWE-334","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-52616","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common3-a28bb129f3d19912","name":"libavahi-common3","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common3:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common3@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2024-52616","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-52616","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52616","epss":0.00083,"percentile":0.24111,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52616","cwe":"CWE-334","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.042745},"relatedVulnerabilities":[{"id":"CVE-2024-52616","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-52616","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2025:7437","https://access.redhat.com/security/cve/CVE-2024-52616","https://bugzilla.redhat.com/show_bug.cgi?id=2326429","https://github.com/avahi/avahi/pull/577"],"description":"A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52616","epss":0.00083,"percentile":0.24111,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52616","cwe":"CWE-334","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-52616","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-core7-af273c4b4622548b","name":"libavahi-core7","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_core7:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-core7@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-40355","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40355","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40355","epss":0.00075,"percentile":0.22478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40355","cwe":"CWE-476","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.040875},"relatedVulnerabilities":[{"id":"CVE-2026-40355","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40355","namespace":"nvd:cpe","severity":"Medium","urls":["https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html","https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f","https://web.mit.edu/kerberos/advisories/"],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40355","epss":0.00075,"percentile":0.22478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40355","cwe":"CWE-476","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40355","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-krb5-locales-47c43824bf48a66c","name":"krb5-locales","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:krb5-locales:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5-locales:krb5_locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5_locales:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5_locales:krb5_locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5:krb5_locales:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/krb5-locales@1.21.3-5?arch=all&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2026-40355","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40355","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40355","epss":0.00075,"percentile":0.22478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40355","cwe":"CWE-476","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.040875},"relatedVulnerabilities":[{"id":"CVE-2026-40355","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40355","namespace":"nvd:cpe","severity":"Medium","urls":["https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html","https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f","https://web.mit.edu/kerberos/advisories/"],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40355","epss":0.00075,"percentile":0.22478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40355","cwe":"CWE-476","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40355","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgssapi-krb5-2-f126828866b7e868","name":"libgssapi-krb5-2","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgssapi-krb5-2@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2026-40355","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40355","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40355","epss":0.00075,"percentile":0.22478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40355","cwe":"CWE-476","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.040875},"relatedVulnerabilities":[{"id":"CVE-2026-40355","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40355","namespace":"nvd:cpe","severity":"Medium","urls":["https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html","https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f","https://web.mit.edu/kerberos/advisories/"],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40355","epss":0.00075,"percentile":0.22478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40355","cwe":"CWE-476","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40355","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libk5crypto3-83b2cd2d3fde8f6b","name":"libk5crypto3","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libk5crypto3:libk5crypto3:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libk5crypto3@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2026-40355","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40355","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40355","epss":0.00075,"percentile":0.22478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40355","cwe":"CWE-476","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.040875},"relatedVulnerabilities":[{"id":"CVE-2026-40355","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40355","namespace":"nvd:cpe","severity":"Medium","urls":["https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html","https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f","https://web.mit.edu/kerberos/advisories/"],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40355","epss":0.00075,"percentile":0.22478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40355","cwe":"CWE-476","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40355","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libkrb5-3-2eb5875d5518f857","name":"libkrb5-3","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libkrb5-3:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5-3:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5_3:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5_3:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libkrb5-3@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2026-40355","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40355","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40355","epss":0.00075,"percentile":0.22478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40355","cwe":"CWE-476","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.040875},"relatedVulnerabilities":[{"id":"CVE-2026-40355","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40355","namespace":"nvd:cpe","severity":"Medium","urls":["https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html","https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f","https://web.mit.edu/kerberos/advisories/"],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40355","epss":0.00075,"percentile":0.22478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40355","cwe":"CWE-476","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40355","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libkrb5support0-80b206ca5e07fd6c","name":"libkrb5support0","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libkrb5support0:libkrb5support0:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libkrb5support0@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2026-40356","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40356","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40356","epss":0.00075,"percentile":0.22422,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40356","cwe":"CWE-191","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.040875},"relatedVulnerabilities":[{"id":"CVE-2026-40356","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40356","namespace":"nvd:cpe","severity":"Medium","urls":["https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html","https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f","https://web.mit.edu/kerberos/advisories/"],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40356","epss":0.00075,"percentile":0.22422,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40356","cwe":"CWE-191","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40356","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-krb5-locales-47c43824bf48a66c","name":"krb5-locales","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:krb5-locales:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5-locales:krb5_locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5_locales:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5_locales:krb5_locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5:krb5_locales:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/krb5-locales@1.21.3-5?arch=all&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2026-40356","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40356","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40356","epss":0.00075,"percentile":0.22422,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40356","cwe":"CWE-191","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.040875},"relatedVulnerabilities":[{"id":"CVE-2026-40356","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40356","namespace":"nvd:cpe","severity":"Medium","urls":["https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html","https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f","https://web.mit.edu/kerberos/advisories/"],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40356","epss":0.00075,"percentile":0.22422,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40356","cwe":"CWE-191","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40356","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgssapi-krb5-2-f126828866b7e868","name":"libgssapi-krb5-2","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgssapi-krb5-2@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2026-40356","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40356","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40356","epss":0.00075,"percentile":0.22422,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40356","cwe":"CWE-191","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.040875},"relatedVulnerabilities":[{"id":"CVE-2026-40356","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40356","namespace":"nvd:cpe","severity":"Medium","urls":["https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html","https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f","https://web.mit.edu/kerberos/advisories/"],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40356","epss":0.00075,"percentile":0.22422,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40356","cwe":"CWE-191","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40356","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libk5crypto3-83b2cd2d3fde8f6b","name":"libk5crypto3","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libk5crypto3:libk5crypto3:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libk5crypto3@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2026-40356","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40356","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40356","epss":0.00075,"percentile":0.22422,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40356","cwe":"CWE-191","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.040875},"relatedVulnerabilities":[{"id":"CVE-2026-40356","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40356","namespace":"nvd:cpe","severity":"Medium","urls":["https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html","https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f","https://web.mit.edu/kerberos/advisories/"],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40356","epss":0.00075,"percentile":0.22422,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40356","cwe":"CWE-191","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40356","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libkrb5-3-2eb5875d5518f857","name":"libkrb5-3","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libkrb5-3:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5-3:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5_3:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5_3:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libkrb5-3@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2026-40356","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40356","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40356","epss":0.00075,"percentile":0.22422,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40356","cwe":"CWE-191","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.040875},"relatedVulnerabilities":[{"id":"CVE-2026-40356","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40356","namespace":"nvd:cpe","severity":"Medium","urls":["https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html","https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f","https://web.mit.edu/kerberos/advisories/"],"description":"In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40356","epss":0.00075,"percentile":0.22422,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40356","cwe":"CWE-191","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40356","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libkrb5support0-80b206ca5e07fd6c","name":"libkrb5support0","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libkrb5support0:libkrb5support0:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libkrb5support0@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2019-9192","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-9192","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern","cvss":[],"epss":[{"cve":"CVE-2019-9192","epss":0.0079,"percentile":0.73963,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-9192","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03950000000000001},"relatedVulnerabilities":[{"id":"CVE-2019-9192","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-9192","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=24269","https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-9192","epss":0.0079,"percentile":0.73963,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-9192","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-9192","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-9192","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-9192","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern","cvss":[],"epss":[{"cve":"CVE-2019-9192","epss":0.0079,"percentile":0.73963,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-9192","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03950000000000001},"relatedVulnerabilities":[{"id":"CVE-2019-9192","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-9192","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=24269","https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-9192","epss":0.0079,"percentile":0.73963,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-9192","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-9192","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-9192","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-9192","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern","cvss":[],"epss":[{"cve":"CVE-2019-9192","epss":0.0079,"percentile":0.73963,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-9192","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03950000000000001},"relatedVulnerabilities":[{"id":"CVE-2019-9192","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-9192","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=24269","https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-9192","epss":0.0079,"percentile":0.73963,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-9192","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-9192","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-9192","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-9192","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern","cvss":[],"epss":[{"cve":"CVE-2019-9192","epss":0.0079,"percentile":0.73963,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-9192","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03950000000000001},"relatedVulnerabilities":[{"id":"CVE-2019-9192","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-9192","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=24269","https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-9192","epss":0.0079,"percentile":0.73963,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-9192","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-9192","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-4437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4437","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4437","epss":0.0005,"percentile":0.15496,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4437","cwe":"CWE-125","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0375},"relatedVulnerabilities":[{"id":"CVE-2026-4437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4437","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=34014"],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4437","epss":0.0005,"percentile":0.15496,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4437","cwe":"CWE-125","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-4437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4437","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4437","epss":0.0005,"percentile":0.15496,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4437","cwe":"CWE-125","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0375},"relatedVulnerabilities":[{"id":"CVE-2026-4437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4437","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=34014"],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4437","epss":0.0005,"percentile":0.15496,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4437","cwe":"CWE-125","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-4437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4437","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4437","epss":0.0005,"percentile":0.15496,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4437","cwe":"CWE-125","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0375},"relatedVulnerabilities":[{"id":"CVE-2026-4437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4437","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=34014"],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4437","epss":0.0005,"percentile":0.15496,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4437","cwe":"CWE-125","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-4437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4437","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4437","epss":0.0005,"percentile":0.15496,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4437","cwe":"CWE-125","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0375},"relatedVulnerabilities":[{"id":"CVE-2026-4437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4437","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=34014"],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4437","epss":0.0005,"percentile":0.15496,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4437","cwe":"CWE-125","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-6772","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6772","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6772","epss":0.00049,"percentile":0.15173,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6772","cwe":"CWE-754","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03675},"relatedVulnerabilities":[{"id":"CVE-2026-6772","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6772","namespace":"nvd:cpe","severity":"High","urls":["https://bugzilla.mozilla.org/show_bug.cgi?id=2026089","https://www.mozilla.org/security/advisories/mfsa2026-30/","https://www.mozilla.org/security/advisories/mfsa2026-31/","https://www.mozilla.org/security/advisories/mfsa2026-32/","https://www.mozilla.org/security/advisories/mfsa2026-33/","https://www.mozilla.org/security/advisories/mfsa2026-34/"],"description":"Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6772","epss":0.00049,"percentile":0.15173,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6772","cwe":"CWE-754","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"nss","version":"2:3.110-1+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6772","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss3-2c7a45e72cefc3cc","name":"libnss3","version":"2:3.110-1+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3 AND MPL-2.0 AND Zlib AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss3:libnss3:2\\:3.110-1\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss3@2%3A3.110-1%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=nss","upstreams":[{"name":"nss"}]}},{"vulnerability":{"id":"CVE-2026-26269","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-26269","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":1.7,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26269","epss":0.00048,"percentile":0.14898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-26269","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.036000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-26269","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-26269","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970","https://github.com/vim/vim/releases/tag/v9.1.2148","https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68","http://www.openwall.com/lists/oss-security/2026/02/13/2"],"description":"Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":1.7,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26269","epss":0.00048,"percentile":0.14898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-26269","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-26269","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-26269","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-26269","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":1.7,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26269","epss":0.00048,"percentile":0.14898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-26269","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.036000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-26269","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-26269","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970","https://github.com/vim/vim/releases/tag/v9.1.2148","https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68","http://www.openwall.com/lists/oss-security/2026/02/13/2"],"description":"Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":1.7,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26269","epss":0.00048,"percentile":0.14898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-26269","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-26269","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-26269","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-26269","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":1.7,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26269","epss":0.00048,"percentile":0.14898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-26269","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.036000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-26269","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-26269","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970","https://github.com/vim/vim/releases/tag/v9.1.2148","https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68","http://www.openwall.com/lists/oss-security/2026/02/13/2"],"description":"Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":1.7,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26269","epss":0.00048,"percentile":0.14898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-26269","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-26269","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-1965","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1965","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.  libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.  When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work.  An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1...  The set of authentication methods to use is set with  `CURLOPT_HTTPAUTH`.  Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1965","epss":0.00062,"percentile":0.19092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1965","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03565},"relatedVulnerabilities":[{"id":"CVE-2026-1965","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1965","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2026-1965.html","https://curl.se/docs/CVE-2026-1965.json"],"description":"libcurl can in some circumstances reuse the wrong connection when asked to do\nan Negotiate-authenticated HTTP or HTTPS request.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to a\nlogical error in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. One underlying reason being that\nNegotiate sometimes authenticates *connections* and not *requests*, contrary\nto how HTTP is designed to work.\n\nAn application that allows Negotiate authentication to a server (that responds\nwanting Negotiate) with `user1:password1` and then does another operation to\nthe same server also using Negotiate but with `user2:password2` (while the\nprevious connection is still alive) - the second request wrongly reused the\nsame connection and since it then sees that the Negotiate negotiation is\nalready made, it just sends the request over that connection thinking it uses\nthe user2 credentials when it is in fact still using the connection\nauthenticated for user1...\n\nThe set of authentication methods to use is set with  `CURLOPT_HTTPAUTH`.\n\nApplications can disable libcurl's reuse of connections and thus mitigate this\nproblem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API).","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1965","epss":0.00062,"percentile":0.19092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1965","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1965","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-1965","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1965","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.  libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.  When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work.  An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1...  The set of authentication methods to use is set with  `CURLOPT_HTTPAUTH`.  Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1965","epss":0.00062,"percentile":0.19092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1965","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03565},"relatedVulnerabilities":[{"id":"CVE-2026-1965","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1965","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2026-1965.html","https://curl.se/docs/CVE-2026-1965.json"],"description":"libcurl can in some circumstances reuse the wrong connection when asked to do\nan Negotiate-authenticated HTTP or HTTPS request.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to a\nlogical error in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. One underlying reason being that\nNegotiate sometimes authenticates *connections* and not *requests*, contrary\nto how HTTP is designed to work.\n\nAn application that allows Negotiate authentication to a server (that responds\nwanting Negotiate) with `user1:password1` and then does another operation to\nthe same server also using Negotiate but with `user2:password2` (while the\nprevious connection is still alive) - the second request wrongly reused the\nsame connection and since it then sees that the Negotiate negotiation is\nalready made, it just sends the request over that connection thinking it uses\nthe user2 credentials when it is in fact still using the connection\nauthenticated for user1...\n\nThe set of authentication methods to use is set with  `CURLOPT_HTTPAUTH`.\n\nApplications can disable libcurl's reuse of connections and thus mitigate this\nproblem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API).","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1965","epss":0.00062,"percentile":0.19092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1965","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1965","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-1965","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1965","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.  libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.  When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work.  An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1...  The set of authentication methods to use is set with  `CURLOPT_HTTPAUTH`.  Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1965","epss":0.00062,"percentile":0.19092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1965","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03565},"relatedVulnerabilities":[{"id":"CVE-2026-1965","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1965","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2026-1965.html","https://curl.se/docs/CVE-2026-1965.json"],"description":"libcurl can in some circumstances reuse the wrong connection when asked to do\nan Negotiate-authenticated HTTP or HTTPS request.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to a\nlogical error in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. One underlying reason being that\nNegotiate sometimes authenticates *connections* and not *requests*, contrary\nto how HTTP is designed to work.\n\nAn application that allows Negotiate authentication to a server (that responds\nwanting Negotiate) with `user1:password1` and then does another operation to\nthe same server also using Negotiate but with `user2:password2` (while the\nprevious connection is still alive) - the second request wrongly reused the\nsame connection and since it then sees that the Negotiate negotiation is\nalready made, it just sends the request over that connection thinking it uses\nthe user2 credentials when it is in fact still using the connection\nauthenticated for user1...\n\nThe set of authentication methods to use is set with  `CURLOPT_HTTPAUTH`.\n\nApplications can disable libcurl's reuse of connections and thus mitigate this\nproblem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API).","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1965","epss":0.00062,"percentile":0.19092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1965","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1965","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2024-52615","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-52615","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52615","epss":0.00068,"percentile":0.20691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52615","cwe":"CWE-330","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03502},"relatedVulnerabilities":[{"id":"CVE-2024-52615","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-52615","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2025:11402","https://access.redhat.com/errata/RHSA-2025:16441","https://access.redhat.com/security/cve/CVE-2024-52615","https://bugzilla.redhat.com/show_bug.cgi?id=2326418","https://github.com/avahi/avahi/pull/577"],"description":"A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52615","epss":0.00068,"percentile":0.20691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52615","cwe":"CWE-330","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-52615","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-avahi-daemon-d209761e50802ac7","name":"avahi-daemon","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:avahi-daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi-daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi_daemon:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/avahi-daemon@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2024-52615","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-52615","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52615","epss":0.00068,"percentile":0.20691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52615","cwe":"CWE-330","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03502},"relatedVulnerabilities":[{"id":"CVE-2024-52615","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-52615","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2025:11402","https://access.redhat.com/errata/RHSA-2025:16441","https://access.redhat.com/security/cve/CVE-2024-52615","https://bugzilla.redhat.com/show_bug.cgi?id=2326418","https://github.com/avahi/avahi/pull/577"],"description":"A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52615","epss":0.00068,"percentile":0.20691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52615","cwe":"CWE-330","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-52615","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common-data-5cdf5a55d2d34a04","name":"libavahi-common-data","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common-data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common-data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common_data:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common-data@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2024-52615","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-52615","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52615","epss":0.00068,"percentile":0.20691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52615","cwe":"CWE-330","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03502},"relatedVulnerabilities":[{"id":"CVE-2024-52615","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-52615","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2025:11402","https://access.redhat.com/errata/RHSA-2025:16441","https://access.redhat.com/security/cve/CVE-2024-52615","https://bugzilla.redhat.com/show_bug.cgi?id=2326418","https://github.com/avahi/avahi/pull/577"],"description":"A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52615","epss":0.00068,"percentile":0.20691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52615","cwe":"CWE-330","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-52615","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common3-a28bb129f3d19912","name":"libavahi-common3","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common3:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common3@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2024-52615","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-52615","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52615","epss":0.00068,"percentile":0.20691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52615","cwe":"CWE-330","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03502},"relatedVulnerabilities":[{"id":"CVE-2024-52615","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-52615","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2025:11402","https://access.redhat.com/errata/RHSA-2025:16441","https://access.redhat.com/security/cve/CVE-2024-52615","https://bugzilla.redhat.com/show_bug.cgi?id=2326418","https://github.com/avahi/avahi/pull/577"],"description":"A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-52615","epss":0.00068,"percentile":0.20691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-52615","cwe":"CWE-330","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-52615","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-core7-af273c4b4622548b","name":"libavahi-core7","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_core7:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-core7@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-6141","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6141","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6141","epss":0.00071,"percentile":0.21478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6141","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-6141","cwe":"CWE-121","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03479},"relatedVulnerabilities":[{"id":"CVE-2025-6141","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6141","namespace":"nvd:cpe","severity":"Medium","urls":["https://invisible-island.net/ncurses/NEWS.html#index-t20250329","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00107.html","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00109.html","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00114.html","https://vuldb.com/?ctiid.312610","https://vuldb.com/?id.312610","https://vuldb.com/?submit.593000","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6141","epss":0.00071,"percentile":0.21478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6141","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-6141","cwe":"CWE-121","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ncurses","version":"6.5+20250216-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6141","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libncursesw6-32e2516577af1ce8","name":"libncursesw6","version":"6.5+20250216-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-MIT-X11 AND X11"],"cpes":["cpe:2.3:a:libncursesw6:libncursesw6:6.5\\+20250216-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libncursesw6@6.5%2B20250216-2?arch=arm64&distro=debian-13&upstream=ncurses","upstreams":[{"name":"ncurses"}]}},{"vulnerability":{"id":"CVE-2025-6141","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6141","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6141","epss":0.00071,"percentile":0.21478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6141","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-6141","cwe":"CWE-121","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03479},"relatedVulnerabilities":[{"id":"CVE-2025-6141","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6141","namespace":"nvd:cpe","severity":"Medium","urls":["https://invisible-island.net/ncurses/NEWS.html#index-t20250329","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00107.html","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00109.html","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00114.html","https://vuldb.com/?ctiid.312610","https://vuldb.com/?id.312610","https://vuldb.com/?submit.593000","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6141","epss":0.00071,"percentile":0.21478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6141","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-6141","cwe":"CWE-121","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ncurses","version":"6.5+20250216-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6141","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libtinfo6-109ce5d685f813c6","name":"libtinfo6","version":"6.5+20250216-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-MIT-X11 AND X11"],"cpes":["cpe:2.3:a:libtinfo6:libtinfo6:6.5\\+20250216-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libtinfo6@6.5%2B20250216-2?arch=arm64&distro=debian-13&upstream=ncurses","upstreams":[{"name":"ncurses"}]}},{"vulnerability":{"id":"CVE-2025-6141","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6141","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6141","epss":0.00071,"percentile":0.21478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6141","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-6141","cwe":"CWE-121","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03479},"relatedVulnerabilities":[{"id":"CVE-2025-6141","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6141","namespace":"nvd:cpe","severity":"Medium","urls":["https://invisible-island.net/ncurses/NEWS.html#index-t20250329","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00107.html","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00109.html","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00114.html","https://vuldb.com/?ctiid.312610","https://vuldb.com/?id.312610","https://vuldb.com/?submit.593000","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6141","epss":0.00071,"percentile":0.21478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6141","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-6141","cwe":"CWE-121","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ncurses","version":"6.5+20250216-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6141","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-ncurses-base-3f9378db54aaac9e","name":"ncurses-base","version":"6.5+20250216-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-MIT-X11 AND X11"],"cpes":["cpe:2.3:a:ncurses-base:ncurses-base:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses-base:ncurses_base:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_base:ncurses-base:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_base:ncurses_base:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses-base:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses_base:6.5\\+20250216-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/ncurses-base@6.5%2B20250216-2?arch=all&distro=debian-13&upstream=ncurses","upstreams":[{"name":"ncurses"}]}},{"vulnerability":{"id":"CVE-2025-6141","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6141","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6141","epss":0.00071,"percentile":0.21478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6141","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-6141","cwe":"CWE-121","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03479},"relatedVulnerabilities":[{"id":"CVE-2025-6141","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6141","namespace":"nvd:cpe","severity":"Medium","urls":["https://invisible-island.net/ncurses/NEWS.html#index-t20250329","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00107.html","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00109.html","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00114.html","https://vuldb.com/?ctiid.312610","https://vuldb.com/?id.312610","https://vuldb.com/?submit.593000","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6141","epss":0.00071,"percentile":0.21478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6141","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-6141","cwe":"CWE-121","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ncurses","version":"6.5+20250216-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6141","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-ncurses-bin-a6728d83d34dc83a","name":"ncurses-bin","version":"6.5+20250216-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-MIT-X11 AND X11"],"cpes":["cpe:2.3:a:ncurses-bin:ncurses-bin:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses-bin:ncurses_bin:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_bin:ncurses-bin:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_bin:ncurses_bin:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses-bin:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses_bin:6.5\\+20250216-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/ncurses-bin@6.5%2B20250216-2?arch=arm64&distro=debian-13&upstream=ncurses","upstreams":[{"name":"ncurses"}]}},{"vulnerability":{"id":"CVE-2025-6141","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6141","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6141","epss":0.00071,"percentile":0.21478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6141","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-6141","cwe":"CWE-121","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03479},"relatedVulnerabilities":[{"id":"CVE-2025-6141","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6141","namespace":"nvd:cpe","severity":"Medium","urls":["https://invisible-island.net/ncurses/NEWS.html#index-t20250329","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00107.html","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00109.html","https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00114.html","https://vuldb.com/?ctiid.312610","https://vuldb.com/?id.312610","https://vuldb.com/?submit.593000","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6141","epss":0.00071,"percentile":0.21478,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6141","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-6141","cwe":"CWE-121","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ncurses","version":"6.5+20250216-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6141","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-ncurses-term-7583d06e0c71039c","name":"ncurses-term","version":"6.5+20250216-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-MIT-X11 AND X11"],"cpes":["cpe:2.3:a:ncurses-term:ncurses-term:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses-term:ncurses_term:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_term:ncurses-term:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_term:ncurses_term:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses-term:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses_term:6.5\\+20250216-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/ncurses-term@6.5%2B20250216-2?arch=all&distro=debian-13&upstream=ncurses","upstreams":[{"name":"ncurses"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bsdextrautils-c23db0b188308a2a","name":"bsdextrautils","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:bsdextrautils:bsdextrautils:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bsdextrautils@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bsdutils-e11ccc6cace058fe","name":"bsdutils","version":"1:2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:bsdutils:bsdutils:1\\:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bsdutils@1%3A2.41-5?arch=arm64&distro=debian-13&upstream=util-linux%402.41-5","upstreams":[{"name":"util-linux","version":"2.41-5"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-eject-ea768bbeeffb7a52","name":"eject","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:eject:eject:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/eject@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-fdisk-ec3e750aea21e029","name":"fdisk","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:fdisk:fdisk:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/fdisk@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libblkid1-56b1dc826d98b9e9","name":"libblkid1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libblkid1:libblkid1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libblkid1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libfdisk1-bbbefcb8907b3bd7","name":"libfdisk1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libfdisk1:libfdisk1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libfdisk1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-liblastlog2-2-ad0e084a4ff7b411","name":"liblastlog2-2","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:liblastlog2-2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2-2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2_2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2_2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/liblastlog2-2@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libmount1-66459d6a2e55223e","name":"libmount1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libmount1:libmount1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libmount1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsmartcols1-92fb21c80f37cd86","name":"libsmartcols1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsmartcols1:libsmartcols1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsmartcols1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libuuid1-fd028c3811b88694","name":"libuuid1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libuuid1:libuuid1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libuuid1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-login-b08f21232e226b47","name":"login","version":"1:4.16.0-2+really2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:login:login:1\\:4.16.0-2\\+really2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/login@1%3A4.16.0-2%2Breally2.41-5?arch=arm64&distro=debian-13&upstream=util-linux%402.41-5","upstreams":[{"name":"util-linux","version":"2.41-5"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-mount-2a84395d15f466a5","name":"mount","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:mount:mount:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/mount@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-rfkill-6166963bfe2df59a","name":"rfkill","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:rfkill:rfkill:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/rfkill@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-3184","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3184","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.034505},"relatedVulnerabilities":[{"id":"CVE-2026-3184","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3184","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2026-3184","https://bugzilla.redhat.com/show_bug.cgi?id=2442570"],"description":"A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3184","epss":0.00103,"percentile":0.2785,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3184","cwe":"CWE-289","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3184","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-util-linux-ffaa6c8a5d0e2ea9","name":"util-linux","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:util-linux:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util-linux:util_linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util_linux:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util_linux:util_linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util:util_linux:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/util-linux@2.41-5?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-5928","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5928","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.  A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5928","epss":0.00046,"percentile":0.14058,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5928","cwe":"CWE-127","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0345},"relatedVulnerabilities":[{"id":"CVE-2026-5928","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5928","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33998"],"description":"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\n\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5928","epss":0.00046,"percentile":0.14058,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5928","cwe":"CWE-127","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5928","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-5928","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5928","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.  A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5928","epss":0.00046,"percentile":0.14058,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5928","cwe":"CWE-127","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0345},"relatedVulnerabilities":[{"id":"CVE-2026-5928","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5928","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33998"],"description":"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\n\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5928","epss":0.00046,"percentile":0.14058,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5928","cwe":"CWE-127","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5928","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-5928","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5928","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.  A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5928","epss":0.00046,"percentile":0.14058,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5928","cwe":"CWE-127","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0345},"relatedVulnerabilities":[{"id":"CVE-2026-5928","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5928","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33998"],"description":"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\n\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5928","epss":0.00046,"percentile":0.14058,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5928","cwe":"CWE-127","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5928","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-5928","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5928","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.  A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5928","epss":0.00046,"percentile":0.14058,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5928","cwe":"CWE-127","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0345},"relatedVulnerabilities":[{"id":"CVE-2026-5928","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5928","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33998"],"description":"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\n\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5928","epss":0.00046,"percentile":0.14058,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5928","cwe":"CWE-127","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5928","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2024-2236","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-2236","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.","cvss":[],"epss":[{"cve":"CVE-2024-2236","epss":0.00684,"percentile":0.71735,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-2236","cwe":"CWE-385","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0342},"relatedVulnerabilities":[{"id":"CVE-2024-2236","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-2236","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2024:9404","https://access.redhat.com/errata/RHSA-2025:3530","https://access.redhat.com/errata/RHSA-2025:3534","https://access.redhat.com/security/cve/CVE-2024-2236","https://bugzilla.redhat.com/show_bug.cgi?id=2245218","https://bugzilla.redhat.com/show_bug.cgi?id=2268268"],"description":"A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-2236","epss":0.00684,"percentile":0.71735,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-2236","cwe":"CWE-385","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libgcrypt20","version":"1.11.0-7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-2236","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgcrypt20-c86a9e34e4b86f35","name":"libgcrypt20","version":"1.11.0-7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgcrypt20:libgcrypt20:1.11.0-7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgcrypt20@1.11.0-7?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-0990","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0990","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0990","epss":0.00062,"percentile":0.19031,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0990","cwe":"CWE-674","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.03379},"relatedVulnerabilities":[{"id":"CVE-2026-0990","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0990","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:7519","https://access.redhat.com/security/cve/CVE-2026-0990","https://bugzilla.redhat.com/show_bug.cgi?id=2429959","https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018"],"description":"A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0990","epss":0.00062,"percentile":0.19031,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0990","cwe":"CWE-674","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0990","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libxml2-5856779bb2cc8107","name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2","type":"deb","locations":null,"language":"","licenses":["ISC AND LicenseRef-MIT-1"],"cpes":["cpe:2.3:a:libxml2:libxml2:2.12.7\\+dfsg\\+really2.9.14-2.1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2018-20712","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20712","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03365},"relatedVulnerabilities":[{"id":"CVE-2018-20712","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20712","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106563","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629","https://sourceware.org/bugzilla/show_bug.cgi?id=24043","https://support.f5.com/csp/article/K38336243"],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20712","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2018-20712","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20712","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03365},"relatedVulnerabilities":[{"id":"CVE-2018-20712","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20712","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106563","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629","https://sourceware.org/bugzilla/show_bug.cgi?id=24043","https://support.f5.com/csp/article/K38336243"],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20712","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20712","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20712","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03365},"relatedVulnerabilities":[{"id":"CVE-2018-20712","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20712","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106563","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629","https://sourceware.org/bugzilla/show_bug.cgi?id=24043","https://support.f5.com/csp/article/K38336243"],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20712","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20712","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20712","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03365},"relatedVulnerabilities":[{"id":"CVE-2018-20712","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20712","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106563","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629","https://sourceware.org/bugzilla/show_bug.cgi?id=24043","https://support.f5.com/csp/article/K38336243"],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20712","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20712","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20712","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03365},"relatedVulnerabilities":[{"id":"CVE-2018-20712","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20712","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106563","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629","https://sourceware.org/bugzilla/show_bug.cgi?id=24043","https://support.f5.com/csp/article/K38336243"],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20712","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20712","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20712","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03365},"relatedVulnerabilities":[{"id":"CVE-2018-20712","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20712","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106563","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629","https://sourceware.org/bugzilla/show_bug.cgi?id=24043","https://support.f5.com/csp/article/K38336243"],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20712","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20712","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20712","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03365},"relatedVulnerabilities":[{"id":"CVE-2018-20712","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20712","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106563","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629","https://sourceware.org/bugzilla/show_bug.cgi?id=24043","https://support.f5.com/csp/article/K38336243"],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20712","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20712","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20712","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03365},"relatedVulnerabilities":[{"id":"CVE-2018-20712","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20712","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106563","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629","https://sourceware.org/bugzilla/show_bug.cgi?id=24043","https://support.f5.com/csp/article/K38336243"],"description":"A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20712","epss":0.00673,"percentile":0.71471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20712","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20712","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6766","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6766","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6766","epss":0.00044,"percentile":0.13452,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6766","cwe":"CWE-754","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.033},"relatedVulnerabilities":[{"id":"CVE-2026-6766","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6766","namespace":"nvd:cpe","severity":"High","urls":["https://bugzilla.mozilla.org/show_bug.cgi?id=2023207","https://www.mozilla.org/security/advisories/mfsa2026-30/","https://www.mozilla.org/security/advisories/mfsa2026-32/","https://www.mozilla.org/security/advisories/mfsa2026-33/","https://www.mozilla.org/security/advisories/mfsa2026-34/"],"description":"Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6766","epss":0.00044,"percentile":0.13452,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6766","cwe":"CWE-754","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"nss","version":"2:3.110-1+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6766","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss3-2c7a45e72cefc3cc","name":"libnss3","version":"2:3.110-1+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3 AND MPL-2.0 AND Zlib AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss3:libnss3:2\\:3.110-1\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss3@2%3A3.110-1%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=nss","upstreams":[{"name":"nss"}]}},{"vulnerability":{"id":"CVE-2026-4046","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4046","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.    This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4046","epss":0.00044,"percentile":0.13212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4046","cwe":"CWE-617","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.033},"relatedVulnerabilities":[{"id":"CVE-2026-4046","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4046","namespace":"nvd:cpe","severity":"High","urls":["https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=33980","https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD"],"description":"The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\n\n\nThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4046","epss":0.00044,"percentile":0.13212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4046","cwe":"CWE-617","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4046","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-4046","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4046","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.    This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4046","epss":0.00044,"percentile":0.13212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4046","cwe":"CWE-617","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.033},"relatedVulnerabilities":[{"id":"CVE-2026-4046","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4046","namespace":"nvd:cpe","severity":"High","urls":["https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=33980","https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD"],"description":"The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\n\n\nThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4046","epss":0.00044,"percentile":0.13212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4046","cwe":"CWE-617","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4046","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-4046","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4046","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.    This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4046","epss":0.00044,"percentile":0.13212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4046","cwe":"CWE-617","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.033},"relatedVulnerabilities":[{"id":"CVE-2026-4046","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4046","namespace":"nvd:cpe","severity":"High","urls":["https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=33980","https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD"],"description":"The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\n\n\nThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4046","epss":0.00044,"percentile":0.13212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4046","cwe":"CWE-617","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4046","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-4046","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4046","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.    This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4046","epss":0.00044,"percentile":0.13212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4046","cwe":"CWE-617","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.033},"relatedVulnerabilities":[{"id":"CVE-2026-4046","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4046","namespace":"nvd:cpe","severity":"High","urls":["https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=33980","https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD"],"description":"The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\n\n\nThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4046","epss":0.00044,"percentile":0.13212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4046","cwe":"CWE-617","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4046","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2020-36325","dataSource":"https://security-tracker.debian.org/tracker/CVE-2020-36325","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification","cvss":[],"epss":[{"cve":"CVE-2020-36325","epss":0.00659,"percentile":0.71162,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-36325","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.03295000000000001},"relatedVulnerabilities":[{"id":"CVE-2020-36325","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2020-36325","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/akheron/jansson/issues/548"],"description":"An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-36325","epss":0.00659,"percentile":0.71162,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-36325","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"jansson","version":"2.14-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2020-36325","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libjansson4-0782b755b96fedd9","name":"libjansson4","version":"2.14-2+b3","type":"deb","locations":null,"language":"","licenses":["Expat"],"cpes":["cpe:2.3:a:libjansson4:libjansson4:2.14-2\\+b3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libjansson4@2.14-2%2Bb3?arch=arm64&distro=debian-13&upstream=jansson%402.14-2","upstreams":[{"name":"jansson","version":"2.14-2"}]}},{"vulnerability":{"id":"CVE-2026-1502","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1502","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1502","epss":0.00061,"percentile":0.18776,"date":"2026-04-29"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.032635},"relatedVulnerabilities":[{"id":"CVE-2026-1502","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1502","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69","https://github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed","https://github.com/python/cpython/issues/146211","https://github.com/python/cpython/pull/146212","https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/","http://www.openwall.com/lists/oss-security/2026/04/11/4"],"description":"CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1502","epss":0.00061,"percentile":0.18776,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1502","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-1502","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1502","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1502","epss":0.00061,"percentile":0.18776,"date":"2026-04-29"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.032635},"relatedVulnerabilities":[{"id":"CVE-2026-1502","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1502","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69","https://github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed","https://github.com/python/cpython/issues/146211","https://github.com/python/cpython/pull/146212","https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/","http://www.openwall.com/lists/oss-security/2026/04/11/4"],"description":"CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1502","epss":0.00061,"percentile":0.18776,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1502","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-1502","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1502","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1502","epss":0.00061,"percentile":0.18776,"date":"2026-04-29"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.032635},"relatedVulnerabilities":[{"id":"CVE-2026-1502","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1502","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69","https://github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed","https://github.com/python/cpython/issues/146211","https://github.com/python/cpython/pull/146212","https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/","http://www.openwall.com/lists/oss-security/2026/04/11/4"],"description":"CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1502","epss":0.00061,"percentile":0.18776,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1502","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-1502","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1502","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1502","epss":0.00061,"percentile":0.18776,"date":"2026-04-29"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.032635},"relatedVulnerabilities":[{"id":"CVE-2026-1502","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1502","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69","https://github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed","https://github.com/python/cpython/issues/146211","https://github.com/python/cpython/pull/146212","https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/","http://www.openwall.com/lists/oss-security/2026/04/11/4"],"description":"CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1502","epss":0.00061,"percentile":0.18776,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1502","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2019-1010024","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010024","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010024","epss":0.00646,"percentile":0.70804,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010024","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0323},"relatedVulnerabilities":[{"id":"CVE-2019-1010024","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010024","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/109162","https://security-tracker.debian.org/tracker/CVE-2019-1010024","https://sourceware.org/bugzilla/show_bug.cgi?id=22852","https://support.f5.com/csp/article/K06046097","https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010024"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010024","epss":0.00646,"percentile":0.70804,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010024","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010024","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010024","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010024","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010024","epss":0.00646,"percentile":0.70804,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010024","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0323},"relatedVulnerabilities":[{"id":"CVE-2019-1010024","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010024","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/109162","https://security-tracker.debian.org/tracker/CVE-2019-1010024","https://sourceware.org/bugzilla/show_bug.cgi?id=22852","https://support.f5.com/csp/article/K06046097","https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010024"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010024","epss":0.00646,"percentile":0.70804,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010024","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010024","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010024","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010024","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010024","epss":0.00646,"percentile":0.70804,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010024","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0323},"relatedVulnerabilities":[{"id":"CVE-2019-1010024","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010024","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/109162","https://security-tracker.debian.org/tracker/CVE-2019-1010024","https://sourceware.org/bugzilla/show_bug.cgi?id=22852","https://support.f5.com/csp/article/K06046097","https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010024"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010024","epss":0.00646,"percentile":0.70804,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010024","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010024","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010024","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010024","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010024","epss":0.00646,"percentile":0.70804,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010024","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0323},"relatedVulnerabilities":[{"id":"CVE-2019-1010024","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010024","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/109162","https://security-tracker.debian.org/tracker/CVE-2019-1010024","https://sourceware.org/bugzilla/show_bug.cgi?id=22852","https://support.f5.com/csp/article/K06046097","https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010024"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010024","epss":0.00646,"percentile":0.70804,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010024","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010024","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-35385","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35385","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35385","epss":0.00039,"percentile":0.11549,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35385","cwe":"CWE-281","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.030420000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-35385","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35385","namespace":"nvd:cpe","severity":"High","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":1.7,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35385","epss":0.00039,"percentile":0.11549,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35385","cwe":"CWE-281","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35385","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-35385","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35385","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35385","epss":0.00039,"percentile":0.11549,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35385","cwe":"CWE-281","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.030420000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-35385","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35385","namespace":"nvd:cpe","severity":"High","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":1.7,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35385","epss":0.00039,"percentile":0.11549,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35385","cwe":"CWE-281","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35385","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-35385","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35385","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35385","epss":0.00039,"percentile":0.11549,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35385","cwe":"CWE-281","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.030420000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-35385","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35385","namespace":"nvd:cpe","severity":"High","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":1.7,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35385","epss":0.00039,"percentile":0.11549,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35385","cwe":"CWE-281","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35385","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2025-59375","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-59375","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-59375","epss":0.0004,"percentile":0.12038,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-59375","cwe":"CWE-770","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.030000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-59375","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-59375","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74","https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes","https://github.com/libexpat/libexpat/issues/1018","https://github.com/libexpat/libexpat/pull/1034","https://issues.oss-fuzz.com/issues/439133977","http://www.openwall.com/lists/oss-security/2025/09/16/2"],"description":"libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-59375","epss":0.0004,"percentile":0.12038,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-59375","cwe":"CWE-770","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"expat","version":"2.7.1-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-59375","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libexpat1-9fbfc999aa8bff3d","name":"libexpat1","version":"2.7.1-2","type":"deb","locations":null,"language":"","licenses":["MIT"],"cpes":["cpe:2.3:a:libexpat1:libexpat1:2.7.1-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libexpat1@2.7.1-2?arch=arm64&distro=debian-13&upstream=expat","upstreams":[{"name":"expat"}]}},{"vulnerability":{"id":"CVE-2025-60876","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-60876","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-60876","epss":0.00051,"percentile":0.15865,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60876","cwe":"CWE-284","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.029325},"relatedVulnerabilities":[{"id":"CVE-2025-60876","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-60876","namespace":"nvd:cpe","severity":"Medium","urls":["https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092","https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm","https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm"],"description":"BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-60876","epss":0.00051,"percentile":0.15865,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60876","cwe":"CWE-284","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6+b7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-60876","versionConstraint":"none (unknown)"}},{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-60876","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-busybox-53b4a72165e5bbad","name":"busybox","version":"1:1.37.0-6+b7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:busybox:busybox:1\\:1.37.0-6\\+b7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/busybox@1%3A1.37.0-6%2Bb7?arch=arm64&distro=debian-13&upstream=busybox%401%3A1.37.0-6","upstreams":[{"name":"busybox","version":"1:1.37.0-6"}]}},{"vulnerability":{"id":"CVE-2026-34743","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34743","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34743","epss":0.00055,"percentile":0.17134,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34743","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.028325000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-34743","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34743","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87","https://github.com/tukaani-project/xz/releases/tag/v5.8.3","https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv","http://www.openwall.com/lists/oss-security/2026/03/31/13"],"description":"XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34743","epss":0.00055,"percentile":0.17134,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34743","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"xz-utils","version":"5.8.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34743","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-liblzma5-e91324a53de66250","name":"liblzma5","version":"5.8.1-1","type":"deb","locations":null,"language":"","licenses":["0BSD AND FSFUL AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND LicenseRef-GPL-3.0-or-later-WITH-Autoconf-exception-macro AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-PD AND LicenseRef-PD-debian AND LicenseRef-noderivs AND LicenseRef-permissive-nowarranty"],"cpes":["cpe:2.3:a:liblzma5:liblzma5:5.8.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/liblzma5@5.8.1-1?arch=arm64&distro=debian-13&upstream=xz-utils","upstreams":[{"name":"xz-utils"}]}},{"vulnerability":{"id":"CVE-2026-34743","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34743","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34743","epss":0.00055,"percentile":0.17134,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34743","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.028325000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-34743","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34743","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87","https://github.com/tukaani-project/xz/releases/tag/v5.8.3","https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv","http://www.openwall.com/lists/oss-security/2026/03/31/13"],"description":"XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34743","epss":0.00055,"percentile":0.17134,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34743","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"xz-utils","version":"5.8.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34743","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xz-utils-d8773905c2bc875d","name":"xz-utils","version":"5.8.1-1","type":"deb","locations":null,"language":"","licenses":["0BSD AND FSFUL AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND LicenseRef-GPL-3.0-or-later-WITH-Autoconf-exception-macro AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-PD AND LicenseRef-PD-debian AND LicenseRef-noderivs AND LicenseRef-permissive-nowarranty"],"cpes":["cpe:2.3:a:xz-utils:xz-utils:5.8.1-1:*:*:*:*:*:*:*","cpe:2.3:a:xz-utils:xz_utils:5.8.1-1:*:*:*:*:*:*:*","cpe:2.3:a:xz_utils:xz-utils:5.8.1-1:*:*:*:*:*:*:*","cpe:2.3:a:xz_utils:xz_utils:5.8.1-1:*:*:*:*:*:*:*","cpe:2.3:a:xz:xz-utils:5.8.1-1:*:*:*:*:*:*:*","cpe:2.3:a:xz:xz_utils:5.8.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xz-utils@5.8.1-1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2018-1000500","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-1000500","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https://compromised-domain.com/important-file\".","cvss":[],"epss":[{"cve":"CVE-2018-1000500","epss":0.00559,"percentile":0.68338,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-1000500","cwe":"CWE-295","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-1000500","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.027950000000000003},"relatedVulnerabilities":[{"id":"CVE-2018-1000500","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000500","namespace":"nvd:cpe","severity":"High","urls":["http://lists.busybox.net/pipermail/busybox/2018-May/086462.html","https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91","https://usn.ubuntu.com/4531-1/"],"description":"Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https://compromised-domain.com/important-file\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":6.8,"exploitabilityScore":8.6,"impactScore":6.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-1000500","epss":0.00559,"percentile":0.68338,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-1000500","cwe":"CWE-295","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-1000500","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6+b7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-1000500","versionConstraint":"none (unknown)"}},{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-1000500","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-busybox-53b4a72165e5bbad","name":"busybox","version":"1:1.37.0-6+b7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:busybox:busybox:1\\:1.37.0-6\\+b7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/busybox@1%3A1.37.0-6%2Bb7?arch=arm64&distro=debian-13&upstream=busybox%401%3A1.37.0-6","upstreams":[{"name":"busybox","version":"1:1.37.0-6"}]}},{"vulnerability":{"id":"CVE-2026-5435","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5435","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5435","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5435","cwe":"CWE-787","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.027379999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-5435","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5435","namespace":"nvd:cpe","severity":"High","urls":["https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=34033"],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5435","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5435","cwe":"CWE-787","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5435","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-5435","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5435","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5435","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5435","cwe":"CWE-787","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.027379999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-5435","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5435","namespace":"nvd:cpe","severity":"High","urls":["https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=34033"],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5435","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5435","cwe":"CWE-787","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5435","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-5435","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5435","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5435","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5435","cwe":"CWE-787","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.027379999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-5435","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5435","namespace":"nvd:cpe","severity":"High","urls":["https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=34033"],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5435","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5435","cwe":"CWE-787","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5435","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-5435","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5435","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5435","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5435","cwe":"CWE-787","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.027379999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-5435","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5435","namespace":"nvd:cpe","severity":"High","urls":["https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=34033"],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5435","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5435","cwe":"CWE-787","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5435","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2025-59529","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-59529","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-59529","epss":0.0005,"percentile":0.15418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-59529","cwe":"CWE-400","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.026250000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-59529","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-59529","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/pull/808","https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q","https://zeropath.com/blog/avahi-simple-protocol-server-dos-cve-2025-59529","http://www.openwall.com/lists/oss-security/2025/12/19/1"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-59529","epss":0.0005,"percentile":0.15418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-59529","cwe":"CWE-400","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-59529","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-avahi-daemon-d209761e50802ac7","name":"avahi-daemon","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:avahi-daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi-daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi_daemon:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/avahi-daemon@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-59529","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-59529","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-59529","epss":0.0005,"percentile":0.15418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-59529","cwe":"CWE-400","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.026250000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-59529","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-59529","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/pull/808","https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q","https://zeropath.com/blog/avahi-simple-protocol-server-dos-cve-2025-59529","http://www.openwall.com/lists/oss-security/2025/12/19/1"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-59529","epss":0.0005,"percentile":0.15418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-59529","cwe":"CWE-400","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-59529","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common-data-5cdf5a55d2d34a04","name":"libavahi-common-data","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common-data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common-data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common_data:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common-data@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-59529","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-59529","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-59529","epss":0.0005,"percentile":0.15418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-59529","cwe":"CWE-400","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.026250000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-59529","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-59529","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/pull/808","https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q","https://zeropath.com/blog/avahi-simple-protocol-server-dos-cve-2025-59529","http://www.openwall.com/lists/oss-security/2025/12/19/1"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-59529","epss":0.0005,"percentile":0.15418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-59529","cwe":"CWE-400","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-59529","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common3-a28bb129f3d19912","name":"libavahi-common3","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common3:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common3@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-59529","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-59529","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-59529","epss":0.0005,"percentile":0.15418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-59529","cwe":"CWE-400","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.026250000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-59529","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-59529","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/pull/808","https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q","https://zeropath.com/blog/avahi-simple-protocol-server-dos-cve-2025-59529","http://www.openwall.com/lists/oss-security/2025/12/19/1"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-59529","epss":0.0005,"percentile":0.15418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-59529","cwe":"CWE-400","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-59529","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-core7-af273c4b4622548b","name":"libavahi-core7","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_core7:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-core7@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-46394","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-46394","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-46394","epss":0.00083,"percentile":0.24054,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-46394","cwe":"CWE-451","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.026144999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-46394","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-46394","namespace":"nvd:cpe","severity":"Low","urls":["https://bugs.busybox.net/show_bug.cgi?id=16018","https://www.busybox.net","https://www.busybox.net/downloads/","http://www.openwall.com/lists/oss-security/2025/04/23/5","http://www.openwall.com/lists/oss-security/2025/04/24/3"],"description":"In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N","metrics":{"baseScore":3.2,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-46394","epss":0.00083,"percentile":0.24054,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-46394","cwe":"CWE-451","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6+b7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-46394","versionConstraint":"none (unknown)"}},{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-46394","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-busybox-53b4a72165e5bbad","name":"busybox","version":"1:1.37.0-6+b7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:busybox:busybox:1\\:1.37.0-6\\+b7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/busybox@1%3A1.37.0-6%2Bb7?arch=arm64&distro=debian-13&upstream=busybox%401%3A1.37.0-6","upstreams":[{"name":"busybox","version":"1:1.37.0-6"}]}},{"vulnerability":{"id":"CVE-2018-6829","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-6829","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.","cvss":[],"epss":[{"cve":"CVE-2018-6829","epss":0.00515,"percentile":0.66686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-6829","cwe":"CWE-327","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.025750000000000002},"relatedVulnerabilities":[{"id":"CVE-2018-6829","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-6829","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/weikengchen/attack-on-libgcrypt-elgamal","https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki","https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html","https://www.oracle.com/security-alerts/cpujan2020.html"],"description":"cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-6829","epss":0.00515,"percentile":0.66686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-6829","cwe":"CWE-327","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libgcrypt20","version":"1.11.0-7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-6829","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgcrypt20-c86a9e34e4b86f35","name":"libgcrypt20","version":"1.11.0-7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgcrypt20:libgcrypt20:1.11.0-7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgcrypt20@1.11.0-7?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-47268","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-47268","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication.","cvss":[],"epss":[{"cve":"CVE-2025-47268","epss":0.00508,"percentile":0.66386,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-47268","cwe":"CWE-190","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.025400000000000006},"relatedVulnerabilities":[{"id":"CVE-2025-47268","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-47268","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugzilla.suse.com/show_bug.cgi?id=1242300","https://github.com/Zephkek/ping-rtt-overflow/","https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40","https://github.com/iputils/iputils/issues/584","https://github.com/iputils/iputils/pull/585","https://github.com/iputils/iputils/releases/tag/20250602"],"description":"ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-47268","epss":0.00508,"percentile":0.66386,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-47268","cwe":"CWE-190","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"iputils","version":"3:20240905-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-47268","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-iputils-ping-49066cbd87384c54","name":"iputils-ping","version":"3:20240905-3","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:iputils-ping:iputils-ping:3\\:20240905-3:*:*:*:*:*:*:*","cpe:2.3:a:iputils-ping:iputils_ping:3\\:20240905-3:*:*:*:*:*:*:*","cpe:2.3:a:iputils_ping:iputils-ping:3\\:20240905-3:*:*:*:*:*:*:*","cpe:2.3:a:iputils_ping:iputils_ping:3\\:20240905-3:*:*:*:*:*:*:*","cpe:2.3:a:iputils:iputils-ping:3\\:20240905-3:*:*:*:*:*:*:*","cpe:2.3:a:iputils:iputils_ping:3\\:20240905-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/iputils-ping@3%3A20240905-3?arch=arm64&distro=debian-13&upstream=iputils","upstreams":[{"name":"iputils"}]}},{"vulnerability":{"id":"CVE-2026-28387","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28387","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side.  Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code.  However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage.  By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages.  These SMTP (or other similar) clients are not vulnerable to this issue.  Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable.  The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records.  No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28387","epss":0.00032,"percentile":0.09144,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28387","cwe":"CWE-416","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.024960000000000006},"relatedVulnerabilities":[{"id":"CVE-2026-28387","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28387","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b","https://github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe","https://github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3","https://github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7","https://github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: An uncommon configuration of clients performing DANE TLSA-based\nserver authentication, when paired with uncommon server DANE TLSA records, may\nresult in a use-after-free and/or double-free on the client side.\n\nImpact summary: A use after free can have a range of potential consequences\nsuch as the corruption of valid data, crashes or execution of arbitrary code.\n\nHowever, the issue only affects clients that make use of TLSA records with both\nthe PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate\nusage.\n\nBy far the most common deployment of DANE is in SMTP MTAs for which RFC7672\nrecommends that clients treat as 'unusable' any TLSA records that have the PKIX\ncertificate usages.  These SMTP (or other similar) clients are not vulnerable\nto this issue.  Conversely, any clients that support only the PKIX usages, and\nignore the DANE-TA(2) usage are also not vulnerable.\n\nThe client would also need to be communicating with a server that publishes a\nTLSA RRset with both types of TLSA records.\n\nNo FIPS modules are affected by this issue, the problem code is outside the\nFIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28387","epss":0.00032,"percentile":0.09144,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28387","cwe":"CWE-416","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28387","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-libssl3t64-fbc7f38a88f32ab8","name":"libssl3t64","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-28387","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28387","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side.  Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code.  However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage.  By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages.  These SMTP (or other similar) clients are not vulnerable to this issue.  Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable.  The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records.  No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28387","epss":0.00032,"percentile":0.09144,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28387","cwe":"CWE-416","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.024960000000000006},"relatedVulnerabilities":[{"id":"CVE-2026-28387","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28387","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b","https://github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe","https://github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3","https://github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7","https://github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: An uncommon configuration of clients performing DANE TLSA-based\nserver authentication, when paired with uncommon server DANE TLSA records, may\nresult in a use-after-free and/or double-free on the client side.\n\nImpact summary: A use after free can have a range of potential consequences\nsuch as the corruption of valid data, crashes or execution of arbitrary code.\n\nHowever, the issue only affects clients that make use of TLSA records with both\nthe PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate\nusage.\n\nBy far the most common deployment of DANE is in SMTP MTAs for which RFC7672\nrecommends that clients treat as 'unusable' any TLSA records that have the PKIX\ncertificate usages.  These SMTP (or other similar) clients are not vulnerable\nto this issue.  Conversely, any clients that support only the PKIX usages, and\nignore the DANE-TA(2) usage are also not vulnerable.\n\nThe client would also need to be communicating with a server that publishes a\nTLSA RRset with both types of TLSA records.\n\nNo FIPS modules are affected by this issue, the problem code is outside the\nFIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28387","epss":0.00032,"percentile":0.09144,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28387","cwe":"CWE-416","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28387","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-0bb8411929274959","name":"openssl","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl:openssl:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl@3.5.5-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-28387","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28387","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side.  Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code.  However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage.  By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages.  These SMTP (or other similar) clients are not vulnerable to this issue.  Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable.  The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records.  No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28387","epss":0.00032,"percentile":0.09144,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28387","cwe":"CWE-416","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.024960000000000006},"relatedVulnerabilities":[{"id":"CVE-2026-28387","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28387","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b","https://github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe","https://github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3","https://github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7","https://github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: An uncommon configuration of clients performing DANE TLSA-based\nserver authentication, when paired with uncommon server DANE TLSA records, may\nresult in a use-after-free and/or double-free on the client side.\n\nImpact summary: A use after free can have a range of potential consequences\nsuch as the corruption of valid data, crashes or execution of arbitrary code.\n\nHowever, the issue only affects clients that make use of TLSA records with both\nthe PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate\nusage.\n\nBy far the most common deployment of DANE is in SMTP MTAs for which RFC7672\nrecommends that clients treat as 'unusable' any TLSA records that have the PKIX\ncertificate usages.  These SMTP (or other similar) clients are not vulnerable\nto this issue.  Conversely, any clients that support only the PKIX usages, and\nignore the DANE-TA(2) usage are also not vulnerable.\n\nThe client would also need to be communicating with a server that publishes a\nTLSA RRset with both types of TLSA records.\n\nNo FIPS modules are affected by this issue, the problem code is outside the\nFIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28387","epss":0.00032,"percentile":0.09144,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28387","cwe":"CWE-416","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28387","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-provider-legacy-58635bb375629269","name":"openssl-provider-legacy","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl-provider-legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider-legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl-provider-legacy@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-41080","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-41080","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41080","epss":0.00033,"percentile":0.09592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41080","cwe":"CWE-331","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02475},"relatedVulnerabilities":[{"id":"CVE-2026-41080","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-41080","namespace":"nvd:cpe","severity":"High","urls":["https://blog.hartwork.org/posts/expat-2-8-0-released/","https://github.com/libexpat/libexpat/issues/47","https://github.com/libexpat/libexpat/pull/1183","https://www.openwall.com/lists/oss-security/2026/04/26/1","http://www.openwall.com/lists/oss-security/2026/04/26/1"],"description":"libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41080","epss":0.00033,"percentile":0.09592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41080","cwe":"CWE-331","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"expat","version":"2.7.1-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-41080","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libexpat1-9fbfc999aa8bff3d","name":"libexpat1","version":"2.7.1-2","type":"deb","locations":null,"language":"","licenses":["MIT"],"cpes":["cpe:2.3:a:libexpat1:libexpat1:2.7.1-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libexpat1@2.7.1-2?arch=arm64&distro=debian-13&upstream=expat","upstreams":[{"name":"expat"}]}},{"vulnerability":{"id":"CVE-2026-24401","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24401","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24401","epss":0.00043,"percentile":0.13014,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24401","cwe":"CWE-674","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024724999999999997},"relatedVulnerabilities":[{"id":"CVE-2026-24401","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24401","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524","https://github.com/avahi/avahi/issues/501","https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24401","epss":0.00043,"percentile":0.13014,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24401","cwe":"CWE-674","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24401","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-avahi-daemon-d209761e50802ac7","name":"avahi-daemon","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:avahi-daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi-daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi_daemon:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/avahi-daemon@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-24401","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24401","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24401","epss":0.00043,"percentile":0.13014,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24401","cwe":"CWE-674","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024724999999999997},"relatedVulnerabilities":[{"id":"CVE-2026-24401","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24401","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524","https://github.com/avahi/avahi/issues/501","https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24401","epss":0.00043,"percentile":0.13014,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24401","cwe":"CWE-674","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24401","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common-data-5cdf5a55d2d34a04","name":"libavahi-common-data","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common-data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common-data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common_data:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common-data@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-24401","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24401","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24401","epss":0.00043,"percentile":0.13014,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24401","cwe":"CWE-674","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024724999999999997},"relatedVulnerabilities":[{"id":"CVE-2026-24401","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24401","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524","https://github.com/avahi/avahi/issues/501","https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24401","epss":0.00043,"percentile":0.13014,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24401","cwe":"CWE-674","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24401","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common3-a28bb129f3d19912","name":"libavahi-common3","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common3:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common3@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-24401","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24401","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24401","epss":0.00043,"percentile":0.13014,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24401","cwe":"CWE-674","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024724999999999997},"relatedVulnerabilities":[{"id":"CVE-2026-24401","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24401","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524","https://github.com/avahi/avahi/issues/501","https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24401","epss":0.00043,"percentile":0.13014,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24401","cwe":"CWE-674","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24401","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-core7-af273c4b4622548b","name":"libavahi-core7","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_core7:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-core7@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-6767","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6767","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6767","epss":0.00048,"percentile":0.14669,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6767","cwe":"CWE-119","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.02472},"relatedVulnerabilities":[{"id":"CVE-2026-6767","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6767","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugzilla.mozilla.org/show_bug.cgi?id=2023209","https://www.mozilla.org/security/advisories/mfsa2026-30/","https://www.mozilla.org/security/advisories/mfsa2026-31/","https://www.mozilla.org/security/advisories/mfsa2026-32/","https://www.mozilla.org/security/advisories/mfsa2026-33/","https://www.mozilla.org/security/advisories/mfsa2026-34/"],"description":"Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6767","epss":0.00048,"percentile":0.14669,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6767","cwe":"CWE-119","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"nss","version":"2:3.110-1+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6767","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss3-2c7a45e72cefc3cc","name":"libnss3","version":"2:3.110-1+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3 AND MPL-2.0 AND Zlib AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss3:libnss3:2\\:3.110-1\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss3@2%3A3.110-1%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=nss","upstreams":[{"name":"nss"}]}},{"vulnerability":{"id":"CVE-2026-0988","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0988","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0988","epss":0.00073,"percentile":0.21831,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0988","cwe":"CWE-190","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024454999999999994},"relatedVulnerabilities":[{"id":"CVE-2026-0988","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0988","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7461","https://access.redhat.com/security/cve/CVE-2026-0988","https://bugzilla.redhat.com/show_bug.cgi?id=2429886","https://gitlab.gnome.org/GNOME/glib/-/issues/3851"],"description":"A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0988","epss":0.00073,"percentile":0.21831,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0988","cwe":"CWE-190","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0988","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gir1.2-glib-2.0-e0776636faa7c9e3","name":"gir1.2-glib-2.0","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:gir1.2-glib-2.0:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib-2.0:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib_2.0:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib_2.0:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gir1.2-glib-2.0@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-0988","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0988","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0988","epss":0.00073,"percentile":0.21831,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0988","cwe":"CWE-190","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024454999999999994},"relatedVulnerabilities":[{"id":"CVE-2026-0988","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0988","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7461","https://access.redhat.com/security/cve/CVE-2026-0988","https://bugzilla.redhat.com/show_bug.cgi?id=2429886","https://gitlab.gnome.org/GNOME/glib/-/issues/3851"],"description":"A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0988","epss":0.00073,"percentile":0.21831,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0988","cwe":"CWE-190","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0988","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-0t64-eefae290723bdc16","name":"libglib2.0-0t64","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-0t64:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-0t64:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_0t64:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_0t64:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-0988","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0988","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0988","epss":0.00073,"percentile":0.21831,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0988","cwe":"CWE-190","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024454999999999994},"relatedVulnerabilities":[{"id":"CVE-2026-0988","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0988","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7461","https://access.redhat.com/security/cve/CVE-2026-0988","https://bugzilla.redhat.com/show_bug.cgi?id=2429886","https://gitlab.gnome.org/GNOME/glib/-/issues/3851"],"description":"A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0988","epss":0.00073,"percentile":0.21831,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0988","cwe":"CWE-190","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0988","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-bin-cfa6976752b86f25","name":"libglib2.0-bin","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-bin:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-bin:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_bin:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_bin:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-bin@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-0988","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0988","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0988","epss":0.00073,"percentile":0.21831,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0988","cwe":"CWE-190","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024454999999999994},"relatedVulnerabilities":[{"id":"CVE-2026-0988","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0988","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7461","https://access.redhat.com/security/cve/CVE-2026-0988","https://bugzilla.redhat.com/show_bug.cgi?id=2429886","https://gitlab.gnome.org/GNOME/glib/-/issues/3851"],"description":"A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0988","epss":0.00073,"percentile":0.21831,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0988","cwe":"CWE-190","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0988","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-data-bbd4ccdf8b009a02","name":"libglib2.0-data","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-data:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-data:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_data:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_data:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-data@2.84.4-3~deb13u2?arch=all&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2016-9918","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9918","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, an out-of-bounds read was identified in \"packet_hexdump\" function in \"monitor/packet.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[],"epss":[{"cve":"CVE-2016-9918","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9918","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.024450000000000003},"relatedVulnerabilities":[{"id":"CVE-2016-9918","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9918","namespace":"nvd:cpe","severity":"High","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00054.html","http://www.securityfocus.com/bid/95013","https://www.spinics.net/lists/linux-bluetooth/msg68898.html"],"description":"In BlueZ 5.42, an out-of-bounds read was identified in \"packet_hexdump\" function in \"monitor/packet.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9918","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9918","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9918","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2012-0039","dataSource":"https://security-tracker.debian.org/tracker/CVE-2012-0039","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.","cvss":[],"epss":[{"cve":"CVE-2012-0039","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2012-0039","cwe":"CWE-310","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.024450000000000003},"relatedVulnerabilities":[{"id":"CVE-2012-0039","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2012-0039","namespace":"nvd:cpe","severity":"Medium","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655044","http://mail.gnome.org/archives/gtk-devel-list/2003-May/msg00111.html","http://openwall.com/lists/oss-security/2012/01/10/12","https://bugzilla.redhat.com/show_bug.cgi?id=772720"],"description":"GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2012-0039","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2012-0039","cwe":"CWE-310","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2012-0039","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gir1.2-glib-2.0-e0776636faa7c9e3","name":"gir1.2-glib-2.0","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:gir1.2-glib-2.0:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib-2.0:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib_2.0:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib_2.0:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gir1.2-glib-2.0@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2016-9918","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9918","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, an out-of-bounds read was identified in \"packet_hexdump\" function in \"monitor/packet.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[],"epss":[{"cve":"CVE-2016-9918","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9918","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.024450000000000003},"relatedVulnerabilities":[{"id":"CVE-2016-9918","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9918","namespace":"nvd:cpe","severity":"High","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00054.html","http://www.securityfocus.com/bid/95013","https://www.spinics.net/lists/linux-bluetooth/msg68898.html"],"description":"In BlueZ 5.42, an out-of-bounds read was identified in \"packet_hexdump\" function in \"monitor/packet.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9918","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9918","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9918","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2012-0039","dataSource":"https://security-tracker.debian.org/tracker/CVE-2012-0039","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.","cvss":[],"epss":[{"cve":"CVE-2012-0039","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2012-0039","cwe":"CWE-310","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.024450000000000003},"relatedVulnerabilities":[{"id":"CVE-2012-0039","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2012-0039","namespace":"nvd:cpe","severity":"Medium","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655044","http://mail.gnome.org/archives/gtk-devel-list/2003-May/msg00111.html","http://openwall.com/lists/oss-security/2012/01/10/12","https://bugzilla.redhat.com/show_bug.cgi?id=772720"],"description":"GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2012-0039","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2012-0039","cwe":"CWE-310","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2012-0039","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-0t64-eefae290723bdc16","name":"libglib2.0-0t64","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-0t64:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-0t64:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_0t64:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_0t64:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2012-0039","dataSource":"https://security-tracker.debian.org/tracker/CVE-2012-0039","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.","cvss":[],"epss":[{"cve":"CVE-2012-0039","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2012-0039","cwe":"CWE-310","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.024450000000000003},"relatedVulnerabilities":[{"id":"CVE-2012-0039","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2012-0039","namespace":"nvd:cpe","severity":"Medium","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655044","http://mail.gnome.org/archives/gtk-devel-list/2003-May/msg00111.html","http://openwall.com/lists/oss-security/2012/01/10/12","https://bugzilla.redhat.com/show_bug.cgi?id=772720"],"description":"GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2012-0039","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2012-0039","cwe":"CWE-310","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2012-0039","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-bin-cfa6976752b86f25","name":"libglib2.0-bin","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-bin:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-bin:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_bin:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_bin:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-bin@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2012-0039","dataSource":"https://security-tracker.debian.org/tracker/CVE-2012-0039","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.","cvss":[],"epss":[{"cve":"CVE-2012-0039","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2012-0039","cwe":"CWE-310","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.024450000000000003},"relatedVulnerabilities":[{"id":"CVE-2012-0039","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2012-0039","namespace":"nvd:cpe","severity":"Medium","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655044","http://mail.gnome.org/archives/gtk-devel-list/2003-May/msg00111.html","http://openwall.com/lists/oss-security/2012/01/10/12","https://bugzilla.redhat.com/show_bug.cgi?id=772720"],"description":"GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2012-0039","epss":0.00489,"percentile":0.6556,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2012-0039","cwe":"CWE-310","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2012-0039","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-data-bbd4ccdf8b009a02","name":"libglib2.0-data","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-data:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-data:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_data:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_data:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-data@2.84.4-3~deb13u2?arch=all&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-31789","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-31789","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms.  Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior.  If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow.  Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31789","epss":0.00026,"percentile":0.07277,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31789","cwe":"CWE-787","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.024439999999999996},"relatedVulnerabilities":[{"id":"CVE-2026-31789","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-31789","namespace":"nvd:cpe","severity":"Critical","urls":["https://github.com/openssl/openssl/commit/364f095b80601db632b0def6a33316967f863bde","https://github.com/openssl/openssl/commit/7a9087efd769f362ad9c0e30c7baaa6bbfa65ecf","https://github.com/openssl/openssl/commit/945b935ac66cc7f1a41f1b849c7c25adb5351f49","https://github.com/openssl/openssl/commit/a24216018e1ede8ff01a4ff5afff7dfbd443e2f9","https://github.com/openssl/openssl/commit/a91e537d16d74050dbde50bb0dfb1fe9930f0521","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: Converting an excessively large OCTET STRING value to\na hexadecimal string leads to a heap buffer overflow on 32 bit platforms.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nan attacker controlled code execution or other undefined behavior.\n\nIf an attacker can supply a crafted X.509 certificate with an excessively\nlarge OCTET STRING value in extensions such as the Subject Key Identifier\n(SKID) or Authority Key Identifier (AKID) which are being converted to hex,\nthe size of the buffer needed for the result is calculated as multiplication\nof the input length by 3. On 32 bit platforms, this multiplication may overflow\nresulting in the allocation of a smaller buffer and a heap buffer overflow.\n\nApplications and services that print or log contents of untrusted X.509\ncertificates are vulnerable to this issue. As the certificates would have\nto have sizes of over 1 Gigabyte, printing or logging such certificates\nis a fairly unlikely operation and only 32 bit platforms are affected,\nthis issue was assigned Low severity.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31789","epss":0.00026,"percentile":0.07277,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31789","cwe":"CWE-787","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-31789","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-libssl3t64-fbc7f38a88f32ab8","name":"libssl3t64","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-31789","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-31789","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms.  Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior.  If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow.  Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31789","epss":0.00026,"percentile":0.07277,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31789","cwe":"CWE-787","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.024439999999999996},"relatedVulnerabilities":[{"id":"CVE-2026-31789","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-31789","namespace":"nvd:cpe","severity":"Critical","urls":["https://github.com/openssl/openssl/commit/364f095b80601db632b0def6a33316967f863bde","https://github.com/openssl/openssl/commit/7a9087efd769f362ad9c0e30c7baaa6bbfa65ecf","https://github.com/openssl/openssl/commit/945b935ac66cc7f1a41f1b849c7c25adb5351f49","https://github.com/openssl/openssl/commit/a24216018e1ede8ff01a4ff5afff7dfbd443e2f9","https://github.com/openssl/openssl/commit/a91e537d16d74050dbde50bb0dfb1fe9930f0521","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: Converting an excessively large OCTET STRING value to\na hexadecimal string leads to a heap buffer overflow on 32 bit platforms.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nan attacker controlled code execution or other undefined behavior.\n\nIf an attacker can supply a crafted X.509 certificate with an excessively\nlarge OCTET STRING value in extensions such as the Subject Key Identifier\n(SKID) or Authority Key Identifier (AKID) which are being converted to hex,\nthe size of the buffer needed for the result is calculated as multiplication\nof the input length by 3. On 32 bit platforms, this multiplication may overflow\nresulting in the allocation of a smaller buffer and a heap buffer overflow.\n\nApplications and services that print or log contents of untrusted X.509\ncertificates are vulnerable to this issue. As the certificates would have\nto have sizes of over 1 Gigabyte, printing or logging such certificates\nis a fairly unlikely operation and only 32 bit platforms are affected,\nthis issue was assigned Low severity.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31789","epss":0.00026,"percentile":0.07277,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31789","cwe":"CWE-787","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-31789","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-0bb8411929274959","name":"openssl","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl:openssl:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl@3.5.5-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-31789","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-31789","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms.  Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior.  If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow.  Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31789","epss":0.00026,"percentile":0.07277,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31789","cwe":"CWE-787","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.024439999999999996},"relatedVulnerabilities":[{"id":"CVE-2026-31789","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-31789","namespace":"nvd:cpe","severity":"Critical","urls":["https://github.com/openssl/openssl/commit/364f095b80601db632b0def6a33316967f863bde","https://github.com/openssl/openssl/commit/7a9087efd769f362ad9c0e30c7baaa6bbfa65ecf","https://github.com/openssl/openssl/commit/945b935ac66cc7f1a41f1b849c7c25adb5351f49","https://github.com/openssl/openssl/commit/a24216018e1ede8ff01a4ff5afff7dfbd443e2f9","https://github.com/openssl/openssl/commit/a91e537d16d74050dbde50bb0dfb1fe9930f0521","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: Converting an excessively large OCTET STRING value to\na hexadecimal string leads to a heap buffer overflow on 32 bit platforms.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nan attacker controlled code execution or other undefined behavior.\n\nIf an attacker can supply a crafted X.509 certificate with an excessively\nlarge OCTET STRING value in extensions such as the Subject Key Identifier\n(SKID) or Authority Key Identifier (AKID) which are being converted to hex,\nthe size of the buffer needed for the result is calculated as multiplication\nof the input length by 3. On 32 bit platforms, this multiplication may overflow\nresulting in the allocation of a smaller buffer and a heap buffer overflow.\n\nApplications and services that print or log contents of untrusted X.509\ncertificates are vulnerable to this issue. As the certificates would have\nto have sizes of over 1 Gigabyte, printing or logging such certificates\nis a fairly unlikely operation and only 32 bit platforms are affected,\nthis issue was assigned Low severity.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31789","epss":0.00026,"percentile":0.07277,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31789","cwe":"CWE-787","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-31789","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-provider-legacy-58635bb375629269","name":"openssl-provider-legacy","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl-provider-legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider-legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl-provider-legacy@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-27459","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27459","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27459","epss":0.00026,"percentile":0.07209,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27459","cwe":"CWE-120","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024439999999999996},"relatedVulnerabilities":[{"id":"CVE-2026-27459","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27459","namespace":"nvd:cpe","severity":"Critical","urls":["https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst","https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408","https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4"],"description":"pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":7.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27459","epss":0.00026,"percentile":0.07209,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27459","cwe":"CWE-120","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"pyopenssl","version":"25.0.0-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27459","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3-openssl-b0890c95bb82a9bb","name":"python3-openssl","version":"25.0.0-1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0"],"cpes":["cpe:2.3:a:python3-openssl:python3-openssl:25.0.0-1:*:*:*:*:*:*:*","cpe:2.3:a:python3-openssl:python3_openssl:25.0.0-1:*:*:*:*:*:*:*","cpe:2.3:a:python3_openssl:python3-openssl:25.0.0-1:*:*:*:*:*:*:*","cpe:2.3:a:python3_openssl:python3_openssl:25.0.0-1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3-openssl:25.0.0-1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3_openssl:25.0.0-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3-openssl@25.0.0-1?arch=all&distro=debian-13&upstream=pyopenssl","upstreams":[{"name":"pyopenssl"}]}},{"vulnerability":{"id":"CVE-2016-9798","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9798","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a use-after-free was identified in \"conf_opt\" function in \"tools/parser/l2cap.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[],"epss":[{"cve":"CVE-2016-9798","epss":0.00487,"percentile":0.65504,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9798","cwe":"CWE-416","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.02435},"relatedVulnerabilities":[{"id":"CVE-2016-9798","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9798","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00071.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00072.html","http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a use-after-free was identified in \"conf_opt\" function in \"tools/parser/l2cap.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9798","epss":0.00487,"percentile":0.65504,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9798","cwe":"CWE-416","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9798","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2016-9798","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9798","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a use-after-free was identified in \"conf_opt\" function in \"tools/parser/l2cap.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[],"epss":[{"cve":"CVE-2016-9798","epss":0.00487,"percentile":0.65504,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9798","cwe":"CWE-416","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.02435},"relatedVulnerabilities":[{"id":"CVE-2016-9798","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9798","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00071.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00072.html","http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a use-after-free was identified in \"conf_opt\" function in \"tools/parser/l2cap.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9798","epss":0.00487,"percentile":0.65504,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9798","cwe":"CWE-416","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9798","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2026-34982","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34982","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","metrics":{"baseScore":8.2,"exploitabilityScore":1.9,"impactScore":5.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34982","epss":0.00031,"percentile":0.09006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34982","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.024335},"relatedVulnerabilities":[{"id":"CVE-2026-34982","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34982","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615","https://github.com/vim/vim/releases/tag/v9.2.0276","https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9","http://www.openwall.com/lists/oss-security/2026/04/01/1"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","metrics":{"baseScore":8.2,"exploitabilityScore":1.9,"impactScore":5.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34982","epss":0.00031,"percentile":0.09006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34982","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34982","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-34982","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34982","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","metrics":{"baseScore":8.2,"exploitabilityScore":1.9,"impactScore":5.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34982","epss":0.00031,"percentile":0.09006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34982","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.024335},"relatedVulnerabilities":[{"id":"CVE-2026-34982","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34982","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615","https://github.com/vim/vim/releases/tag/v9.2.0276","https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9","http://www.openwall.com/lists/oss-security/2026/04/01/1"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","metrics":{"baseScore":8.2,"exploitabilityScore":1.9,"impactScore":5.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34982","epss":0.00031,"percentile":0.09006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34982","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34982","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-34982","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34982","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","metrics":{"baseScore":8.2,"exploitabilityScore":1.9,"impactScore":5.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34982","epss":0.00031,"percentile":0.09006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34982","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.024335},"relatedVulnerabilities":[{"id":"CVE-2026-34982","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34982","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615","https://github.com/vim/vim/releases/tag/v9.2.0276","https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9","http://www.openwall.com/lists/oss-security/2026/04/01/1"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","metrics":{"baseScore":8.2,"exploitabilityScore":1.9,"impactScore":5.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34982","epss":0.00031,"percentile":0.09006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34982","cwe":"CWE-78","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34982","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2025-15282","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15282","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15282","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15282","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024200000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-15282","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15282","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0","https://github.com/python/cpython/commit/34d76b00dabde81a793bd06dd8ecb057838c4b38","https://github.com/python/cpython/commit/3f396ca9d7bbe2a50ea6b8c9b27c0082884d9f80","https://github.com/python/cpython/commit/4ed11d3cd288e6b90196a15c5a825a45d318fe47","https://github.com/python/cpython/commit/a35ca3be5842505dab74dc0b90b89cde0405017a","https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f","https://github.com/python/cpython/issues/143925","https://github.com/python/cpython/pull/143926","https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/"],"description":"User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15282","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15282","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15282","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-1299","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1299","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The  email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when  serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1299","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1299","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024200000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-1299","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1299","namespace":"nvd:cpe","severity":"Medium","urls":["https://cve.org/CVERecord?id=CVE-2024-6923","https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413","https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8","https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9","https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4","https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36","https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a","https://github.com/python/cpython/issues/144125","https://github.com/python/cpython/pull/144126","https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/"],"description":"The \nemail module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1299","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1299","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1299","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-15282","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15282","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15282","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15282","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024200000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-15282","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15282","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0","https://github.com/python/cpython/commit/34d76b00dabde81a793bd06dd8ecb057838c4b38","https://github.com/python/cpython/commit/3f396ca9d7bbe2a50ea6b8c9b27c0082884d9f80","https://github.com/python/cpython/commit/4ed11d3cd288e6b90196a15c5a825a45d318fe47","https://github.com/python/cpython/commit/a35ca3be5842505dab74dc0b90b89cde0405017a","https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f","https://github.com/python/cpython/issues/143925","https://github.com/python/cpython/pull/143926","https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/"],"description":"User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15282","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15282","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15282","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-1299","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1299","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The  email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when  serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1299","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1299","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024200000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-1299","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1299","namespace":"nvd:cpe","severity":"Medium","urls":["https://cve.org/CVERecord?id=CVE-2024-6923","https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413","https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8","https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9","https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4","https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36","https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a","https://github.com/python/cpython/issues/144125","https://github.com/python/cpython/pull/144126","https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/"],"description":"The \nemail module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1299","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1299","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1299","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-15282","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15282","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15282","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15282","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024200000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-15282","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15282","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0","https://github.com/python/cpython/commit/34d76b00dabde81a793bd06dd8ecb057838c4b38","https://github.com/python/cpython/commit/3f396ca9d7bbe2a50ea6b8c9b27c0082884d9f80","https://github.com/python/cpython/commit/4ed11d3cd288e6b90196a15c5a825a45d318fe47","https://github.com/python/cpython/commit/a35ca3be5842505dab74dc0b90b89cde0405017a","https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f","https://github.com/python/cpython/issues/143925","https://github.com/python/cpython/pull/143926","https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/"],"description":"User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15282","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15282","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15282","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-1299","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1299","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The  email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when  serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1299","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1299","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024200000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-1299","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1299","namespace":"nvd:cpe","severity":"Medium","urls":["https://cve.org/CVERecord?id=CVE-2024-6923","https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413","https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8","https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9","https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4","https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36","https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a","https://github.com/python/cpython/issues/144125","https://github.com/python/cpython/pull/144126","https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/"],"description":"The \nemail module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1299","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1299","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1299","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-15282","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15282","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15282","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15282","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024200000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-15282","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15282","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0","https://github.com/python/cpython/commit/34d76b00dabde81a793bd06dd8ecb057838c4b38","https://github.com/python/cpython/commit/3f396ca9d7bbe2a50ea6b8c9b27c0082884d9f80","https://github.com/python/cpython/commit/4ed11d3cd288e6b90196a15c5a825a45d318fe47","https://github.com/python/cpython/commit/a35ca3be5842505dab74dc0b90b89cde0405017a","https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f","https://github.com/python/cpython/issues/143925","https://github.com/python/cpython/pull/143926","https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/"],"description":"User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15282","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15282","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15282","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-1299","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1299","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The  email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when  serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1299","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1299","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.024200000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-1299","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1299","namespace":"nvd:cpe","severity":"Medium","urls":["https://cve.org/CVERecord?id=CVE-2024-6923","https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413","https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8","https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9","https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4","https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36","https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a","https://github.com/python/cpython/issues/144125","https://github.com/python/cpython/pull/144126","https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/"],"description":"The \nemail module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1299","epss":0.00044,"percentile":0.13418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1299","cwe":"CWE-93","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1299","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2016-9797","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9797","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer over-read was observed in \"l2cap_dump\" function in \"tools/parser/l2cap.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[],"epss":[{"cve":"CVE-2016-9797","epss":0.00479,"percentile":0.65091,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9797","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2016-9797","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.023950000000000003},"relatedVulnerabilities":[{"id":"CVE-2016-9797","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9797","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00069.html","http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a buffer over-read was observed in \"l2cap_dump\" function in \"tools/parser/l2cap.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9797","epss":0.00479,"percentile":0.65091,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9797","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2016-9797","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9797","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2016-9797","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9797","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer over-read was observed in \"l2cap_dump\" function in \"tools/parser/l2cap.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[],"epss":[{"cve":"CVE-2016-9797","epss":0.00479,"percentile":0.65091,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9797","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2016-9797","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.023950000000000003},"relatedVulnerabilities":[{"id":"CVE-2016-9797","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9797","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00069.html","http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a buffer over-read was observed in \"l2cap_dump\" function in \"tools/parser/l2cap.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9797","epss":0.00479,"percentile":0.65091,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9797","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2016-9797","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9797","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2016-9802","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9802","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer over-read was identified in \"l2cap_packet\" function in \"monitor/packet.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[],"epss":[{"cve":"CVE-2016-9802","epss":0.00476,"percentile":0.64931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9802","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.023800000000000005},"relatedVulnerabilities":[{"id":"CVE-2016-9802","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9802","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00069.html","http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68898.html"],"description":"In BlueZ 5.42, a buffer over-read was identified in \"l2cap_packet\" function in \"monitor/packet.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9802","epss":0.00476,"percentile":0.64931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9802","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9802","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2016-9802","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9802","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer over-read was identified in \"l2cap_packet\" function in \"monitor/packet.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[],"epss":[{"cve":"CVE-2016-9802","epss":0.00476,"percentile":0.64931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9802","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.023800000000000005},"relatedVulnerabilities":[{"id":"CVE-2016-9802","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9802","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00069.html","http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68898.html"],"description":"In BlueZ 5.42, a buffer over-read was identified in \"l2cap_packet\" function in \"monitor/packet.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9802","epss":0.00476,"percentile":0.64931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9802","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9802","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2016-9799","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9799","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer overflow was observed in \"pklg_read_hci\" function in \"btsnoop.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[],"epss":[{"cve":"CVE-2016-9799","epss":0.00476,"percentile":0.64923,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9799","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.023800000000000005},"relatedVulnerabilities":[{"id":"CVE-2016-9799","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9799","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68898.html"],"description":"In BlueZ 5.42, a buffer overflow was observed in \"pklg_read_hci\" function in \"btsnoop.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9799","epss":0.00476,"percentile":0.64923,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9799","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9799","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2016-9799","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9799","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer overflow was observed in \"pklg_read_hci\" function in \"btsnoop.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[],"epss":[{"cve":"CVE-2016-9799","epss":0.00476,"percentile":0.64923,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9799","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.023800000000000005},"relatedVulnerabilities":[{"id":"CVE-2016-9799","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9799","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68898.html"],"description":"In BlueZ 5.42, a buffer overflow was observed in \"pklg_read_hci\" function in \"btsnoop.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9799","epss":0.00476,"percentile":0.64923,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9799","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9799","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2026-3644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3644","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3644","epss":0.00043,"percentile":0.12837,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3644","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2026-3644","cwe":"CWE-116","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02365},"relatedVulnerabilities":[{"id":"CVE-2026-3644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3644","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4","https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd","https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd","https://github.com/python/cpython/issues/145599","https://github.com/python/cpython/pull/145600","https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/"],"description":"The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3644","epss":0.00043,"percentile":0.12837,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3644","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2026-3644","cwe":"CWE-116","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-3644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3644","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3644","epss":0.00043,"percentile":0.12837,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3644","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2026-3644","cwe":"CWE-116","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02365},"relatedVulnerabilities":[{"id":"CVE-2026-3644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3644","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4","https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd","https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd","https://github.com/python/cpython/issues/145599","https://github.com/python/cpython/pull/145600","https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/"],"description":"The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3644","epss":0.00043,"percentile":0.12837,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3644","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2026-3644","cwe":"CWE-116","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-3644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3644","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3644","epss":0.00043,"percentile":0.12837,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3644","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2026-3644","cwe":"CWE-116","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02365},"relatedVulnerabilities":[{"id":"CVE-2026-3644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3644","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4","https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd","https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd","https://github.com/python/cpython/issues/145599","https://github.com/python/cpython/pull/145600","https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/"],"description":"The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3644","epss":0.00043,"percentile":0.12837,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3644","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2026-3644","cwe":"CWE-116","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-3644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3644","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3644","epss":0.00043,"percentile":0.12837,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3644","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2026-3644","cwe":"CWE-116","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02365},"relatedVulnerabilities":[{"id":"CVE-2026-3644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3644","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4","https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd","https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd","https://github.com/python/cpython/issues/145599","https://github.com/python/cpython/pull/145600","https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/"],"description":"The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3644","epss":0.00043,"percentile":0.12837,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3644","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2026-3644","cwe":"CWE-116","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-40225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40225","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023370000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-40225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40225","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx"],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss-systemd-ad7265eadb35cc00","name":"libnss-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss-systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss-systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40225","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023370000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-40225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40225","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx"],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpam-systemd-022f917bdf524182","name":"libpam-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libpam-systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam-systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpam-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40225","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023370000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-40225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40225","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx"],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd-shared-b1ad66cbf61a8db5","name":"libsystemd-shared","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd-shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd-shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd-shared@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40225","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023370000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-40225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40225","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx"],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd0-2ebc906354bc0592","name":"libsystemd0","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd0:libsystemd0:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40225","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023370000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-40225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40225","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx"],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libudev1-c6f7af268569b00a","name":"libudev1","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libudev1:libudev1:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40225","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023370000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-40225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40225","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx"],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-f903f3f27e740730","name":"systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd:systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-40225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40225","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023370000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-40225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40225","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx"],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-cryptsetup-a05233fe9c9714fd","name":"systemd-cryptsetup","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-cryptsetup@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40225","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023370000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-40225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40225","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx"],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-sysv-10669ba5f85c6427","name":"systemd-sysv","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-sysv@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40225","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023370000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-40225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40225","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx"],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-timesyncd-6b431489698ee740","name":"systemd-timesyncd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-timesyncd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40225","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023370000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-40225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40225","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx"],"description":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40225","epss":0.00041,"percentile":0.12316,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40225","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-udev-b6036c3d10c9d62b","name":"udev","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:udev:udev:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/udev@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2025-66471","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66471","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66471","epss":0.00031,"percentile":0.08975,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66471","cwe":"CWE-409","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02325},"relatedVulnerabilities":[{"id":"CVE-2025-66471","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66471","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7","https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37"],"description":"urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66471","epss":0.00031,"percentile":0.08975,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66471","cwe":"CWE-409","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python-urllib3","version":"2.3.0-3+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66471","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3-urllib3-61ce93fd4a6b779a","name":"python3-urllib3","version":"2.3.0-3+deb13u1","type":"deb","locations":null,"language":"","licenses":["Expat"],"cpes":["cpe:2.3:a:python3-urllib3:python3-urllib3:2.3.0-3\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3-urllib3:python3_urllib3:2.3.0-3\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3_urllib3:python3-urllib3:2.3.0-3\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3_urllib3:python3_urllib3:2.3.0-3\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3-urllib3:2.3.0-3\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3_urllib3:2.3.0-3\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3-urllib3@2.3.0-3%2Bdeb13u1?arch=all&distro=debian-13&upstream=python-urllib3","upstreams":[{"name":"python-urllib3"}]}},{"vulnerability":{"id":"CVE-2026-28389","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28389","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen.  Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.  When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.  Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28389","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28389","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.02325},"relatedVulnerabilities":[{"id":"CVE-2026-28389","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28389","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5","https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616","https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f","https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a","https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28389","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28389","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28389","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-libssl3t64-fbc7f38a88f32ab8","name":"libssl3t64","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-28390","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28390","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen.  Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.  When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.  Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28390","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28390","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.02325},"relatedVulnerabilities":[{"id":"CVE-2026-28390","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28390","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc","https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6","https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4","https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788","https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28390","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28390","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28390","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-libssl3t64-fbc7f38a88f32ab8","name":"libssl3t64","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-28389","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28389","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen.  Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.  When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.  Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28389","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28389","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.02325},"relatedVulnerabilities":[{"id":"CVE-2026-28389","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28389","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5","https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616","https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f","https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a","https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28389","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28389","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28389","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-0bb8411929274959","name":"openssl","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl:openssl:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl@3.5.5-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-28390","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28390","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen.  Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.  When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.  Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28390","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28390","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.02325},"relatedVulnerabilities":[{"id":"CVE-2026-28390","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28390","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc","https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6","https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4","https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788","https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28390","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28390","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28390","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-0bb8411929274959","name":"openssl","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl:openssl:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl@3.5.5-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-28389","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28389","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen.  Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.  When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.  Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28389","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28389","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.02325},"relatedVulnerabilities":[{"id":"CVE-2026-28389","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28389","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5","https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616","https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f","https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a","https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28389","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28389","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28389","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-provider-legacy-58635bb375629269","name":"openssl-provider-legacy","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl-provider-legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider-legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl-provider-legacy@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-28390","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28390","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen.  Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.  When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.  Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28390","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28390","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.02325},"relatedVulnerabilities":[{"id":"CVE-2026-28390","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28390","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc","https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6","https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4","https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788","https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28390","epss":0.00031,"percentile":0.08746,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28390","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28390","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-provider-legacy-58635bb375629269","name":"openssl-provider-legacy","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl-provider-legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider-legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl-provider-legacy@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2025-14819","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14819","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When doing TLS related transfers with reused easy or multi handles and altering the  `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14819","epss":0.00045,"percentile":0.13755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14819","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023175},"relatedVulnerabilities":[{"id":"CVE-2025-14819","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14819","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-14819.html","https://curl.se/docs/CVE-2025-14819.json","http://www.openwall.com/lists/oss-security/2026/01/07/5"],"description":"When doing TLS related transfers with reused easy or multi handles and\naltering the  `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally\nreuse a CA store cached in memory for which the partial chain option was\nreversed. Contrary to the user's wishes and expectations. This could make\nlibcurl find and accept a trust chain that it otherwise would not.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14819","epss":0.00045,"percentile":0.13755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14819","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14819","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-14819","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14819","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When doing TLS related transfers with reused easy or multi handles and altering the  `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14819","epss":0.00045,"percentile":0.13755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14819","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023175},"relatedVulnerabilities":[{"id":"CVE-2025-14819","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14819","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-14819.html","https://curl.se/docs/CVE-2025-14819.json","http://www.openwall.com/lists/oss-security/2026/01/07/5"],"description":"When doing TLS related transfers with reused easy or multi handles and\naltering the  `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally\nreuse a CA store cached in memory for which the partial chain option was\nreversed. Contrary to the user's wishes and expectations. This could make\nlibcurl find and accept a trust chain that it otherwise would not.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14819","epss":0.00045,"percentile":0.13755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14819","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14819","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2025-14819","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14819","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When doing TLS related transfers with reused easy or multi handles and altering the  `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14819","epss":0.00045,"percentile":0.13755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14819","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023175},"relatedVulnerabilities":[{"id":"CVE-2025-14819","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14819","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-14819.html","https://curl.se/docs/CVE-2025-14819.json","http://www.openwall.com/lists/oss-security/2026/01/07/5"],"description":"When doing TLS related transfers with reused easy or multi handles and\naltering the  `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally\nreuse a CA store cached in memory for which the partial chain option was\nreversed. Contrary to the user's wishes and expectations. This could make\nlibcurl find and accept a trust chain that it otherwise would not.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14819","epss":0.00045,"percentile":0.13755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14819","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14819","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2023-51580","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-51580","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"BlueZ Audio Profile AVRCP avrcp_parse_attribute_list Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.  The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20852.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51580","epss":0.00043,"percentile":0.13154,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51580","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023005},"relatedVulnerabilities":[{"id":"CVE-2023-51580","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-51580","namespace":"nvd:cpe","severity":"Medium","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1903/"],"description":"BlueZ Audio Profile AVRCP avrcp_parse_attribute_list Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.\n\nThe specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20852.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":1.2,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51580","epss":0.00043,"percentile":0.13154,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51580","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-51580","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-51580","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-51580","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"BlueZ Audio Profile AVRCP avrcp_parse_attribute_list Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.  The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20852.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51580","epss":0.00043,"percentile":0.13154,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51580","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.023005},"relatedVulnerabilities":[{"id":"CVE-2023-51580","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-51580","namespace":"nvd:cpe","severity":"Medium","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1903/"],"description":"BlueZ Audio Profile AVRCP avrcp_parse_attribute_list Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.\n\nThe specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20852.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":1.2,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51580","epss":0.00043,"percentile":0.13154,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51580","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-51580","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2016-9917","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9917","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer overflow was observed in \"read_n\" function in \"tools/hcidump.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[],"epss":[{"cve":"CVE-2016-9917","epss":0.00454,"percentile":0.63855,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9917","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.022699999999999998},"relatedVulnerabilities":[{"id":"CVE-2016-9917","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9917","namespace":"nvd:cpe","severity":"High","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00069.html","http://www.securityfocus.com/bid/95013","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a buffer overflow was observed in \"read_n\" function in \"tools/hcidump.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9917","epss":0.00454,"percentile":0.63855,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9917","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9917","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2016-9917","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9917","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer overflow was observed in \"read_n\" function in \"tools/hcidump.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[],"epss":[{"cve":"CVE-2016-9917","epss":0.00454,"percentile":0.63855,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9917","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.022699999999999998},"relatedVulnerabilities":[{"id":"CVE-2016-9917","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9917","namespace":"nvd:cpe","severity":"High","urls":["http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00069.html","http://www.securityfocus.com/bid/95013","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a buffer overflow was observed in \"read_n\" function in \"tools/hcidump.c\" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9917","epss":0.00454,"percentile":0.63855,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9917","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9917","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2007-2243","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-2243","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.","cvss":[],"epss":[{"cve":"CVE-2007-2243","epss":0.00441,"percentile":0.63279,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2243","cwe":"CWE-287","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.02205},"relatedVulnerabilities":[{"id":"CVE-2007-2243","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-2243","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053906.html","http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053951.html","http://securityreason.com/securityalert/2631","http://www.osvdb.org/34600","http://www.securityfocus.com/bid/23601","https://exchange.xforce.ibmcloud.com/vulnerabilities/33794","https://security.netapp.com/advisory/ntap-20191107-0003/"],"description":"OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-2243","epss":0.00441,"percentile":0.63279,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2243","cwe":"CWE-287","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-2243","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2007-2243","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-2243","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.","cvss":[],"epss":[{"cve":"CVE-2007-2243","epss":0.00441,"percentile":0.63279,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2243","cwe":"CWE-287","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.02205},"relatedVulnerabilities":[{"id":"CVE-2007-2243","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-2243","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053906.html","http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053951.html","http://securityreason.com/securityalert/2631","http://www.osvdb.org/34600","http://www.securityfocus.com/bid/23601","https://exchange.xforce.ibmcloud.com/vulnerabilities/33794","https://security.netapp.com/advisory/ntap-20191107-0003/"],"description":"OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-2243","epss":0.00441,"percentile":0.63279,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2243","cwe":"CWE-287","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-2243","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2007-2243","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-2243","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.","cvss":[],"epss":[{"cve":"CVE-2007-2243","epss":0.00441,"percentile":0.63279,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2243","cwe":"CWE-287","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.02205},"relatedVulnerabilities":[{"id":"CVE-2007-2243","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-2243","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053906.html","http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053951.html","http://securityreason.com/securityalert/2631","http://www.osvdb.org/34600","http://www.securityfocus.com/bid/23601","https://exchange.xforce.ibmcloud.com/vulnerabilities/33794","https://security.netapp.com/advisory/ntap-20191107-0003/"],"description":"OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-2243","epss":0.00441,"percentile":0.63279,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2243","cwe":"CWE-287","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-2243","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-35386","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35386","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35386","epss":0.00028,"percentile":0.08006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35386","cwe":"CWE-696","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02184},"relatedVulnerabilities":[{"id":"CVE-2026-35386","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35386","namespace":"nvd:cpe","severity":"High","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":3.6,"exploitabilityScore":1.1,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35386","epss":0.00028,"percentile":0.08006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35386","cwe":"CWE-696","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35386","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-35386","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35386","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35386","epss":0.00028,"percentile":0.08006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35386","cwe":"CWE-696","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02184},"relatedVulnerabilities":[{"id":"CVE-2026-35386","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35386","namespace":"nvd:cpe","severity":"High","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":3.6,"exploitabilityScore":1.1,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35386","epss":0.00028,"percentile":0.08006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35386","cwe":"CWE-696","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35386","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-35386","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35386","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35386","epss":0.00028,"percentile":0.08006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35386","cwe":"CWE-696","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02184},"relatedVulnerabilities":[{"id":"CVE-2026-35386","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35386","namespace":"nvd:cpe","severity":"High","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":3.6,"exploitabilityScore":1.1,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35386","epss":0.00028,"percentile":0.08006,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35386","cwe":"CWE-696","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35386","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-3805","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3805","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3805","epss":0.00029,"percentile":0.08051,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3805","cwe":"CWE-416","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02175},"relatedVulnerabilities":[{"id":"CVE-2026-3805","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3805","namespace":"nvd:cpe","severity":"High","urls":["https://curl.se/docs/CVE-2026-3805.html","https://curl.se/docs/CVE-2026-3805.json","https://hackerone.com/reports/3591944","http://www.openwall.com/lists/oss-security/2026/03/11/4"],"description":"When doing a second SMB request to the same host again, curl would wrongly use\na data pointer pointing into already freed memory.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3805","epss":0.00029,"percentile":0.08051,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3805","cwe":"CWE-416","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3805","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-3805","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3805","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3805","epss":0.00029,"percentile":0.08051,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3805","cwe":"CWE-416","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02175},"relatedVulnerabilities":[{"id":"CVE-2026-3805","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3805","namespace":"nvd:cpe","severity":"High","urls":["https://curl.se/docs/CVE-2026-3805.html","https://curl.se/docs/CVE-2026-3805.json","https://hackerone.com/reports/3591944","http://www.openwall.com/lists/oss-security/2026/03/11/4"],"description":"When doing a second SMB request to the same host again, curl would wrongly use\na data pointer pointing into already freed memory.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3805","epss":0.00029,"percentile":0.08051,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3805","cwe":"CWE-416","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3805","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-3805","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3805","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3805","epss":0.00029,"percentile":0.08051,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3805","cwe":"CWE-416","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.02175},"relatedVulnerabilities":[{"id":"CVE-2026-3805","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3805","namespace":"nvd:cpe","severity":"High","urls":["https://curl.se/docs/CVE-2026-3805.html","https://curl.se/docs/CVE-2026-3805.json","https://hackerone.com/reports/3591944","http://www.openwall.com/lists/oss-security/2026/03/11/4"],"description":"When doing a second SMB request to the same host again, curl would wrongly use\na data pointer pointing into already freed memory.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3805","epss":0.00029,"percentile":0.08051,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3805","cwe":"CWE-416","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3805","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2023-51589","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-51589","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.  The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20853.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51589","epss":0.0004,"percentile":0.11972,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51589","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.021400000000000002},"relatedVulnerabilities":[{"id":"CVE-2023-51589","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-51589","namespace":"nvd:cpe","severity":"Medium","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1904/"],"description":"BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.\n\nThe specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20853.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":1.2,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51589","epss":0.0004,"percentile":0.11972,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51589","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-51589","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-51589","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-51589","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.  The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20853.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51589","epss":0.0004,"percentile":0.11972,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51589","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.021400000000000002},"relatedVulnerabilities":[{"id":"CVE-2023-51589","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-51589","namespace":"nvd:cpe","severity":"Medium","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1904/"],"description":"BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.\n\nThe specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20853.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":1.2,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51589","epss":0.0004,"percentile":0.11972,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51589","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-51589","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2026-6238","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6238","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.  These functions are for application debugging only and hence not in the path of code executed by the DNS resolver.  Further, they have been deprecated since version 2.34 and should not be used by any new applications.  Applications should consider porting away from these interfaces since they may be removed in future versions.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6238","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6238","cwe":"CWE-126","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.021274999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-6238","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6238","namespace":"nvd:cpe","severity":"Medium","urls":["https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=34069"],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.\n\nThese functions are for application debugging only and hence not in the path of code executed by the DNS resolver.  Further, they have been deprecated since version 2.34 and should not be used by any new applications.  Applications should consider porting away from these interfaces since they may be removed in future versions.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6238","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6238","cwe":"CWE-126","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6238","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-6238","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6238","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.  These functions are for application debugging only and hence not in the path of code executed by the DNS resolver.  Further, they have been deprecated since version 2.34 and should not be used by any new applications.  Applications should consider porting away from these interfaces since they may be removed in future versions.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6238","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6238","cwe":"CWE-126","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.021274999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-6238","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6238","namespace":"nvd:cpe","severity":"Medium","urls":["https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=34069"],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.\n\nThese functions are for application debugging only and hence not in the path of code executed by the DNS resolver.  Further, they have been deprecated since version 2.34 and should not be used by any new applications.  Applications should consider porting away from these interfaces since they may be removed in future versions.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6238","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6238","cwe":"CWE-126","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6238","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-6238","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6238","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.  These functions are for application debugging only and hence not in the path of code executed by the DNS resolver.  Further, they have been deprecated since version 2.34 and should not be used by any new applications.  Applications should consider porting away from these interfaces since they may be removed in future versions.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6238","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6238","cwe":"CWE-126","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.021274999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-6238","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6238","namespace":"nvd:cpe","severity":"Medium","urls":["https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=34069"],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.\n\nThese functions are for application debugging only and hence not in the path of code executed by the DNS resolver.  Further, they have been deprecated since version 2.34 and should not be used by any new applications.  Applications should consider porting away from these interfaces since they may be removed in future versions.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6238","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6238","cwe":"CWE-126","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6238","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-6238","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6238","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.  These functions are for application debugging only and hence not in the path of code executed by the DNS resolver.  Further, they have been deprecated since version 2.34 and should not be used by any new applications.  Applications should consider porting away from these interfaces since they may be removed in future versions.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6238","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6238","cwe":"CWE-126","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.021274999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-6238","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6238","namespace":"nvd:cpe","severity":"Medium","urls":["https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=34069"],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.\n\nThese functions are for application debugging only and hence not in the path of code executed by the DNS resolver.  Further, they have been deprecated since version 2.34 and should not be used by any new applications.  Applications should consider porting away from these interfaces since they may be removed in future versions.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6238","epss":0.00037,"percentile":0.10931,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6238","cwe":"CWE-126","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6238","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2024-58251","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-58251","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-58251","epss":0.00077,"percentile":0.22875,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-58251","cwe":"CWE-150","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.021175},"relatedVulnerabilities":[{"id":"CVE-2024-58251","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-58251","namespace":"nvd:cpe","severity":"Low","urls":["https://bugs.busybox.net/show_bug.cgi?id=15922","https://www.busybox.net","https://www.busybox.net/downloads/","http://www.openwall.com/lists/oss-security/2025/04/23/6"],"description":"In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-58251","epss":0.00077,"percentile":0.22875,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-58251","cwe":"CWE-150","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6+b7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-58251","versionConstraint":"none (unknown)"}},{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-58251","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-busybox-53b4a72165e5bbad","name":"busybox","version":"1:1.37.0-6+b7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:busybox:busybox:1\\:1.37.0-6\\+b7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/busybox@1%3A1.37.0-6%2Bb7?arch=arm64&distro=debian-13&upstream=busybox%401%3A1.37.0-6","upstreams":[{"name":"busybox","version":"1:1.37.0-6"}]}},{"vulnerability":{"id":"CVE-2026-27448","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27448","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27448","epss":0.00041,"percentile":0.12362,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27448","cwe":"CWE-636","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.021115000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-27448","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27448","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst#L27","https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0","https://github.com/pyca/pyopenssl/security/advisories/GHSA-vp96-hxj8-p424"],"description":"pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27448","epss":0.00041,"percentile":0.12362,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27448","cwe":"CWE-636","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"pyopenssl","version":"25.0.0-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27448","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3-openssl-b0890c95bb82a9bb","name":"python3-openssl","version":"25.0.0-1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0"],"cpes":["cpe:2.3:a:python3-openssl:python3-openssl:25.0.0-1:*:*:*:*:*:*:*","cpe:2.3:a:python3-openssl:python3_openssl:25.0.0-1:*:*:*:*:*:*:*","cpe:2.3:a:python3_openssl:python3-openssl:25.0.0-1:*:*:*:*:*:*:*","cpe:2.3:a:python3_openssl:python3_openssl:25.0.0-1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3-openssl:25.0.0-1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3_openssl:25.0.0-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3-openssl@25.0.0-1?arch=all&distro=debian-13&upstream=pyopenssl","upstreams":[{"name":"pyopenssl"}]}},{"vulnerability":{"id":"CVE-2016-9803","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9803","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, an out-of-bounds read was observed in \"le_meta_ev_dump\" function in \"tools/parser/hci.c\" source file. This issue exists because 'subevent' (which is used to read correct element from 'ev_le_meta_str' array) is overflowed.","cvss":[],"epss":[{"cve":"CVE-2016-9803","epss":0.00422,"percentile":0.62083,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9803","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2016-9803","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0211},"relatedVulnerabilities":[{"id":"CVE-2016-9803","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9803","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, an out-of-bounds read was observed in \"le_meta_ev_dump\" function in \"tools/parser/hci.c\" source file. This issue exists because 'subevent' (which is used to read correct element from 'ev_le_meta_str' array) is overflowed.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9803","epss":0.00422,"percentile":0.62083,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9803","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2016-9803","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9803","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2016-9803","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9803","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, an out-of-bounds read was observed in \"le_meta_ev_dump\" function in \"tools/parser/hci.c\" source file. This issue exists because 'subevent' (which is used to read correct element from 'ev_le_meta_str' array) is overflowed.","cvss":[],"epss":[{"cve":"CVE-2016-9803","epss":0.00422,"percentile":0.62083,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9803","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2016-9803","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0211},"relatedVulnerabilities":[{"id":"CVE-2016-9803","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9803","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, an out-of-bounds read was observed in \"le_meta_ev_dump\" function in \"tools/parser/hci.c\" source file. This issue exists because 'subevent' (which is used to read correct element from 'ev_le_meta_str' array) is overflowed.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9803","epss":0.00422,"percentile":0.62083,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9803","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2016-9803","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9803","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2025-6966","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6966","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6966","epss":0.0004,"percentile":0.12056,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6966","cwe":"CWE-476","source":"security@ubuntu.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.021},"relatedVulnerabilities":[{"id":"CVE-2025-6966","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6966","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865","https://lists.debian.org/debian-lts-announce/2025/12/msg00019.html"],"description":"NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security@ubuntu.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6966","epss":0.0004,"percentile":0.12056,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6966","cwe":"CWE-476","source":"security@ubuntu.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python-apt","version":"3.0.0"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6966","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python-apt-common-663c24ea9446d56e","name":"python-apt-common","version":"3.0.0","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Permissive"],"cpes":["cpe:2.3:a:python-apt-common:python-apt-common:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python-apt-common:python_apt_common:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python_apt_common:python-apt-common:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python_apt_common:python_apt_common:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python-apt:python-apt-common:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python-apt:python_apt_common:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python_apt:python-apt-common:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python_apt:python_apt_common:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python:python-apt-common:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python:python_apt_common:3.0.0:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python-apt-common@3.0.0?arch=all&distro=debian-13&upstream=python-apt","upstreams":[{"name":"python-apt"}]}},{"vulnerability":{"id":"CVE-2025-6966","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6966","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6966","epss":0.0004,"percentile":0.12056,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6966","cwe":"CWE-476","source":"security@ubuntu.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.021},"relatedVulnerabilities":[{"id":"CVE-2025-6966","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6966","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865","https://lists.debian.org/debian-lts-announce/2025/12/msg00019.html"],"description":"NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security@ubuntu.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6966","epss":0.0004,"percentile":0.12056,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6966","cwe":"CWE-476","source":"security@ubuntu.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python-apt","version":"3.0.0"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6966","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3-apt-474b30ca62a5ced4","name":"python3-apt","version":"3.0.0","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Permissive"],"cpes":["cpe:2.3:a:python3-apt:python3-apt:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python3-apt:python3_apt:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python3_apt:python3-apt:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python3_apt:python3_apt:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3-apt:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3_apt:3.0.0:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3-apt@3.0.0?arch=arm64&distro=debian-13&upstream=python-apt","upstreams":[{"name":"python-apt"}]}},{"vulnerability":{"id":"CVE-2023-51594","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-51594","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"BlueZ OBEX Library Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device.  The specific flaw exists within the handling of OBEX protocol parameters. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20937.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51594","epss":0.00038,"percentile":0.11262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51594","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.020330000000000004},"relatedVulnerabilities":[{"id":"CVE-2023-51594","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-51594","namespace":"nvd:cpe","severity":"Medium","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1901/"],"description":"BlueZ OBEX Library Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device.\n\nThe specific flaw exists within the handling of OBEX protocol parameters. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20937.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","metrics":{"baseScore":2.6,"exploitabilityScore":1.2,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51594","epss":0.00038,"percentile":0.11262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51594","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-51594","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-51594","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-51594","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"BlueZ OBEX Library Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device.  The specific flaw exists within the handling of OBEX protocol parameters. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20937.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51594","epss":0.00038,"percentile":0.11262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51594","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.020330000000000004},"relatedVulnerabilities":[{"id":"CVE-2023-51594","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-51594","namespace":"nvd:cpe","severity":"Medium","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1901/"],"description":"BlueZ OBEX Library Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device.\n\nThe specific flaw exists within the handling of OBEX protocol parameters. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20937.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","metrics":{"baseScore":2.6,"exploitabilityScore":1.2,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51594","epss":0.00038,"percentile":0.11262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51594","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-51594","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2026-39881","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-39881","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-39881","epss":0.00026,"percentile":0.07095,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-39881","cwe":"CWE-94","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019889999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-39881","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-39881","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19","https://github.com/vim/vim/releases/tag/v9.2.0316","https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6"],"description":"Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N","metrics":{"baseScore":5,"exploitabilityScore":0.8,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-39881","epss":0.00026,"percentile":0.07095,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-39881","cwe":"CWE-94","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-39881","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-39881","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-39881","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-39881","epss":0.00026,"percentile":0.07095,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-39881","cwe":"CWE-94","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019889999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-39881","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-39881","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19","https://github.com/vim/vim/releases/tag/v9.2.0316","https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6"],"description":"Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N","metrics":{"baseScore":5,"exploitabilityScore":0.8,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-39881","epss":0.00026,"percentile":0.07095,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-39881","cwe":"CWE-94","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-39881","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-39881","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-39881","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-39881","epss":0.00026,"percentile":0.07095,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-39881","cwe":"CWE-94","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019889999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-39881","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-39881","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19","https://github.com/vim/vim/releases/tag/v9.2.0316","https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6"],"description":"Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N","metrics":{"baseScore":5,"exploitabilityScore":0.8,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-39881","epss":0.00026,"percentile":0.07095,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-39881","cwe":"CWE-94","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-39881","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2010-4756","dataSource":"https://security-tracker.debian.org/tracker/CVE-2010-4756","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.","cvss":[],"epss":[{"cve":"CVE-2010-4756","epss":0.00394,"percentile":0.60325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2010-4756","cwe":"CWE-399","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019700000000000002},"relatedVulnerabilities":[{"id":"CVE-2010-4756","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2010-4756","namespace":"nvd:cpe","severity":"Medium","urls":["http://cxib.net/stuff/glob-0day.c","http://securityreason.com/achievement_securityalert/89","http://securityreason.com/exploitalert/9223","https://bugzilla.redhat.com/show_bug.cgi?id=681681","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756","https://security.netapp.com/advisory/ntap-20241108-0002/"],"description":"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":4,"exploitabilityScore":8,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2010-4756","epss":0.00394,"percentile":0.60325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2010-4756","cwe":"CWE-399","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2010-4756","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2010-4756","dataSource":"https://security-tracker.debian.org/tracker/CVE-2010-4756","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.","cvss":[],"epss":[{"cve":"CVE-2010-4756","epss":0.00394,"percentile":0.60325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2010-4756","cwe":"CWE-399","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019700000000000002},"relatedVulnerabilities":[{"id":"CVE-2010-4756","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2010-4756","namespace":"nvd:cpe","severity":"Medium","urls":["http://cxib.net/stuff/glob-0day.c","http://securityreason.com/achievement_securityalert/89","http://securityreason.com/exploitalert/9223","https://bugzilla.redhat.com/show_bug.cgi?id=681681","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756","https://security.netapp.com/advisory/ntap-20241108-0002/"],"description":"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":4,"exploitabilityScore":8,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2010-4756","epss":0.00394,"percentile":0.60325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2010-4756","cwe":"CWE-399","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2010-4756","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2010-4756","dataSource":"https://security-tracker.debian.org/tracker/CVE-2010-4756","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.","cvss":[],"epss":[{"cve":"CVE-2010-4756","epss":0.00394,"percentile":0.60325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2010-4756","cwe":"CWE-399","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019700000000000002},"relatedVulnerabilities":[{"id":"CVE-2010-4756","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2010-4756","namespace":"nvd:cpe","severity":"Medium","urls":["http://cxib.net/stuff/glob-0day.c","http://securityreason.com/achievement_securityalert/89","http://securityreason.com/exploitalert/9223","https://bugzilla.redhat.com/show_bug.cgi?id=681681","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756","https://security.netapp.com/advisory/ntap-20241108-0002/"],"description":"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":4,"exploitabilityScore":8,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2010-4756","epss":0.00394,"percentile":0.60325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2010-4756","cwe":"CWE-399","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2010-4756","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2010-4756","dataSource":"https://security-tracker.debian.org/tracker/CVE-2010-4756","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.","cvss":[],"epss":[{"cve":"CVE-2010-4756","epss":0.00394,"percentile":0.60325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2010-4756","cwe":"CWE-399","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019700000000000002},"relatedVulnerabilities":[{"id":"CVE-2010-4756","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2010-4756","namespace":"nvd:cpe","severity":"Medium","urls":["http://cxib.net/stuff/glob-0day.c","http://securityreason.com/achievement_securityalert/89","http://securityreason.com/exploitalert/9223","https://bugzilla.redhat.com/show_bug.cgi?id=681681","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756","https://security.netapp.com/advisory/ntap-20241108-0002/"],"description":"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":4,"exploitabilityScore":8,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2010-4756","epss":0.00394,"percentile":0.60325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2010-4756","cwe":"CWE-399","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2010-4756","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2016-9800","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9800","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer overflow was observed in \"pin_code_reply_dump\" function in \"tools/parser/hci.c\" source file. The issue exists because \"pin\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"pin_code_reply_cp *cp\" parameter.","cvss":[],"epss":[{"cve":"CVE-2016-9800","epss":0.00387,"percentile":0.59814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9800","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019350000000000003},"relatedVulnerabilities":[{"id":"CVE-2016-9800","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9800","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a buffer overflow was observed in \"pin_code_reply_dump\" function in \"tools/parser/hci.c\" source file. The issue exists because \"pin\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"pin_code_reply_cp *cp\" parameter.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9800","epss":0.00387,"percentile":0.59814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9800","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9800","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2016-9801","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9801","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer overflow was observed in \"set_ext_ctrl\" function in \"tools/parser/l2cap.c\" source file when processing corrupted dump file.","cvss":[],"epss":[{"cve":"CVE-2016-9801","epss":0.00387,"percentile":0.59814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9801","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019350000000000003},"relatedVulnerabilities":[{"id":"CVE-2016-9801","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9801","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a buffer overflow was observed in \"set_ext_ctrl\" function in \"tools/parser/l2cap.c\" source file when processing corrupted dump file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9801","epss":0.00387,"percentile":0.59814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9801","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9801","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2016-9800","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9800","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer overflow was observed in \"pin_code_reply_dump\" function in \"tools/parser/hci.c\" source file. The issue exists because \"pin\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"pin_code_reply_cp *cp\" parameter.","cvss":[],"epss":[{"cve":"CVE-2016-9800","epss":0.00387,"percentile":0.59814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9800","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019350000000000003},"relatedVulnerabilities":[{"id":"CVE-2016-9800","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9800","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a buffer overflow was observed in \"pin_code_reply_dump\" function in \"tools/parser/hci.c\" source file. The issue exists because \"pin\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"pin_code_reply_cp *cp\" parameter.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9800","epss":0.00387,"percentile":0.59814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9800","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9800","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2016-9801","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9801","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer overflow was observed in \"set_ext_ctrl\" function in \"tools/parser/l2cap.c\" source file when processing corrupted dump file.","cvss":[],"epss":[{"cve":"CVE-2016-9801","epss":0.00387,"percentile":0.59814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9801","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019350000000000003},"relatedVulnerabilities":[{"id":"CVE-2016-9801","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9801","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a buffer overflow was observed in \"set_ext_ctrl\" function in \"tools/parser/l2cap.c\" source file when processing corrupted dump file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9801","epss":0.00387,"percentile":0.59814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9801","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9801","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2018-9996","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-9996","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019250000000000003},"relatedVulnerabilities":[{"id":"CVE-2018-9996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-9996","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/103733","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304"],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-9996","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2018-9996","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-9996","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019250000000000003},"relatedVulnerabilities":[{"id":"CVE-2018-9996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-9996","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/103733","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304"],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-9996","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-9996","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-9996","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019250000000000003},"relatedVulnerabilities":[{"id":"CVE-2018-9996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-9996","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/103733","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304"],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-9996","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-9996","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-9996","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019250000000000003},"relatedVulnerabilities":[{"id":"CVE-2018-9996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-9996","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/103733","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304"],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-9996","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-9996","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-9996","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019250000000000003},"relatedVulnerabilities":[{"id":"CVE-2018-9996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-9996","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/103733","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304"],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-9996","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-9996","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-9996","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019250000000000003},"relatedVulnerabilities":[{"id":"CVE-2018-9996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-9996","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/103733","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304"],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-9996","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-9996","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-9996","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019250000000000003},"relatedVulnerabilities":[{"id":"CVE-2018-9996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-9996","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/103733","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304"],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-9996","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-9996","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-9996","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.019250000000000003},"relatedVulnerabilities":[{"id":"CVE-2018-9996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-9996","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/103733","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304"],"description":"An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-9996","epss":0.00385,"percentile":0.59717,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-9996","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-9996","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-35387","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35387","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.3,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35387","epss":0.00032,"percentile":0.09386,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35387","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0184},"relatedVulnerabilities":[{"id":"CVE-2026-35387","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35387","namespace":"nvd:cpe","severity":"Medium","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.3,"impactScore":4.3},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35387","epss":0.00032,"percentile":0.09386,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35387","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35387","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-35387","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35387","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.3,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35387","epss":0.00032,"percentile":0.09386,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35387","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0184},"relatedVulnerabilities":[{"id":"CVE-2026-35387","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35387","namespace":"nvd:cpe","severity":"Medium","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.3,"impactScore":4.3},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35387","epss":0.00032,"percentile":0.09386,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35387","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35387","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-35387","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35387","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.3,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35387","epss":0.00032,"percentile":0.09386,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35387","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0184},"relatedVulnerabilities":[{"id":"CVE-2026-35387","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35387","namespace":"nvd:cpe","severity":"Medium","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.3,"impactScore":4.3},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35387","epss":0.00032,"percentile":0.09386,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35387","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35387","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2012-2663","dataSource":"https://security-tracker.debian.org/tracker/CVE-2012-2663","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets.  NOTE: the CVE-2012-6638 fix makes this issue less relevant.","cvss":[],"epss":[{"cve":"CVE-2012-2663","epss":0.00361,"percentile":0.58239,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01805},"relatedVulnerabilities":[{"id":"CVE-2012-2663","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2012-2663","namespace":"nvd:cpe","severity":"High","urls":["http://www.spinics.net/lists/netfilter-devel/msg21248.html","https://bugzilla.redhat.com/show_bug.cgi?id=826702"],"description":"extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets.  NOTE: the CVE-2012-6638 fix makes this issue less relevant.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":7.5,"exploitabilityScore":10,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2012-2663","epss":0.00361,"percentile":0.58239,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"iptables","version":"1.8.11-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2012-2663","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-iptables-77529b047964014f","name":"iptables","version":"1.8.11-2","type":"deb","locations":null,"language":"","licenses":["Artistic AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-custom"],"cpes":["cpe:2.3:a:iptables:iptables:1.8.11-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/iptables@1.8.11-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2012-2663","dataSource":"https://security-tracker.debian.org/tracker/CVE-2012-2663","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets.  NOTE: the CVE-2012-6638 fix makes this issue less relevant.","cvss":[],"epss":[{"cve":"CVE-2012-2663","epss":0.00361,"percentile":0.58239,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01805},"relatedVulnerabilities":[{"id":"CVE-2012-2663","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2012-2663","namespace":"nvd:cpe","severity":"High","urls":["http://www.spinics.net/lists/netfilter-devel/msg21248.html","https://bugzilla.redhat.com/show_bug.cgi?id=826702"],"description":"extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets.  NOTE: the CVE-2012-6638 fix makes this issue less relevant.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":7.5,"exploitabilityScore":10,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2012-2663","epss":0.00361,"percentile":0.58239,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"iptables","version":"1.8.11-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2012-2663","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libip4tc2-d94d49d3eabc1255","name":"libip4tc2","version":"1.8.11-2","type":"deb","locations":null,"language":"","licenses":["Artistic AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-custom"],"cpes":["cpe:2.3:a:libip4tc2:libip4tc2:1.8.11-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libip4tc2@1.8.11-2?arch=arm64&distro=debian-13&upstream=iptables","upstreams":[{"name":"iptables"}]}},{"vulnerability":{"id":"CVE-2012-2663","dataSource":"https://security-tracker.debian.org/tracker/CVE-2012-2663","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets.  NOTE: the CVE-2012-6638 fix makes this issue less relevant.","cvss":[],"epss":[{"cve":"CVE-2012-2663","epss":0.00361,"percentile":0.58239,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01805},"relatedVulnerabilities":[{"id":"CVE-2012-2663","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2012-2663","namespace":"nvd:cpe","severity":"High","urls":["http://www.spinics.net/lists/netfilter-devel/msg21248.html","https://bugzilla.redhat.com/show_bug.cgi?id=826702"],"description":"extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets.  NOTE: the CVE-2012-6638 fix makes this issue less relevant.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":7.5,"exploitabilityScore":10,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2012-2663","epss":0.00361,"percentile":0.58239,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"iptables","version":"1.8.11-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2012-2663","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libip6tc2-9f892ddaa013fb36","name":"libip6tc2","version":"1.8.11-2","type":"deb","locations":null,"language":"","licenses":["Artistic AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-custom"],"cpes":["cpe:2.3:a:libip6tc2:libip6tc2:1.8.11-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libip6tc2@1.8.11-2?arch=arm64&distro=debian-13&upstream=iptables","upstreams":[{"name":"iptables"}]}},{"vulnerability":{"id":"CVE-2012-2663","dataSource":"https://security-tracker.debian.org/tracker/CVE-2012-2663","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets.  NOTE: the CVE-2012-6638 fix makes this issue less relevant.","cvss":[],"epss":[{"cve":"CVE-2012-2663","epss":0.00361,"percentile":0.58239,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01805},"relatedVulnerabilities":[{"id":"CVE-2012-2663","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2012-2663","namespace":"nvd:cpe","severity":"High","urls":["http://www.spinics.net/lists/netfilter-devel/msg21248.html","https://bugzilla.redhat.com/show_bug.cgi?id=826702"],"description":"extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets.  NOTE: the CVE-2012-6638 fix makes this issue less relevant.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":7.5,"exploitabilityScore":10,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2012-2663","epss":0.00361,"percentile":0.58239,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"iptables","version":"1.8.11-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2012-2663","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libxtables12-2cf7e30144f65c3a","name":"libxtables12","version":"1.8.11-2","type":"deb","locations":null,"language":"","licenses":["Artistic AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-custom"],"cpes":["cpe:2.3:a:libxtables12:libxtables12:1.8.11-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libxtables12@1.8.11-2?arch=arm64&distro=debian-13&upstream=iptables","upstreams":[{"name":"iptables"}]}},{"vulnerability":{"id":"CVE-2026-27135","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27135","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27135","epss":0.00024,"percentile":0.06713,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27135","cwe":"CWE-617","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.018000000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-27135","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27135","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1","https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6","http://www.openwall.com/lists/oss-security/2026/03/20/3"],"description":"nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27135","epss":0.00024,"percentile":0.06713,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27135","cwe":"CWE-617","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"nghttp2","version":"1.64.0-1.1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27135","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnghttp2-14-827bb1012fb0da55","name":"libnghttp2-14","version":"1.64.0-1.1","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-Expat AND GPL-3.0-only AND GPL-3.0-or-later AND MIT AND LicenseRef-all-permissive"],"cpes":["cpe:2.3:a:libnghttp2-14:libnghttp2-14:1.64.0-1.1:*:*:*:*:*:*:*","cpe:2.3:a:libnghttp2-14:libnghttp2_14:1.64.0-1.1:*:*:*:*:*:*:*","cpe:2.3:a:libnghttp2_14:libnghttp2-14:1.64.0-1.1:*:*:*:*:*:*:*","cpe:2.3:a:libnghttp2_14:libnghttp2_14:1.64.0-1.1:*:*:*:*:*:*:*","cpe:2.3:a:libnghttp2:libnghttp2-14:1.64.0-1.1:*:*:*:*:*:*:*","cpe:2.3:a:libnghttp2:libnghttp2_14:1.64.0-1.1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnghttp2-14@1.64.0-1.1?arch=arm64&distro=debian-13&upstream=nghttp2","upstreams":[{"name":"nghttp2"}]}},{"vulnerability":{"id":"CVE-2016-9804","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9804","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer overflow was observed in \"commands_dump\" function in \"tools/parser/csr.c\" source file. The issue exists because \"commands\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"frm->ptr\" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[],"epss":[{"cve":"CVE-2016-9804","epss":0.0036,"percentile":0.58152,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9804","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.018000000000000002},"relatedVulnerabilities":[{"id":"CVE-2016-9804","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9804","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a buffer overflow was observed in \"commands_dump\" function in \"tools/parser/csr.c\" source file. The issue exists because \"commands\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"frm->ptr\" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9804","epss":0.0036,"percentile":0.58152,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9804","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9804","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2016-9804","dataSource":"https://security-tracker.debian.org/tracker/CVE-2016-9804","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In BlueZ 5.42, a buffer overflow was observed in \"commands_dump\" function in \"tools/parser/csr.c\" source file. The issue exists because \"commands\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"frm->ptr\" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[],"epss":[{"cve":"CVE-2016-9804","epss":0.0036,"percentile":0.58152,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9804","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.018000000000000002},"relatedVulnerabilities":[{"id":"CVE-2016-9804","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-9804","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/94652","https://www.spinics.net/lists/linux-bluetooth/msg68892.html"],"description":"In BlueZ 5.42, a buffer overflow was observed in \"commands_dump\" function in \"tools/parser/csr.c\" source file. The issue exists because \"commands\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"frm->ptr\" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-9804","epss":0.0036,"percentile":0.58152,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2016-9804","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2016-9804","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2026-4438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4438","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4438","epss":0.00033,"percentile":0.09694,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4438","cwe":"CWE-20","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-4438","cwe":"CWE-88","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.017159999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-4438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4438","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=34015"],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4438","epss":0.00033,"percentile":0.09694,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4438","cwe":"CWE-20","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-4438","cwe":"CWE-88","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-4438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4438","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4438","epss":0.00033,"percentile":0.09694,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4438","cwe":"CWE-20","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-4438","cwe":"CWE-88","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.017159999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-4438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4438","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=34015"],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4438","epss":0.00033,"percentile":0.09694,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4438","cwe":"CWE-20","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-4438","cwe":"CWE-88","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-4438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4438","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4438","epss":0.00033,"percentile":0.09694,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4438","cwe":"CWE-20","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-4438","cwe":"CWE-88","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.017159999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-4438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4438","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=34015"],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4438","epss":0.00033,"percentile":0.09694,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4438","cwe":"CWE-20","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-4438","cwe":"CWE-88","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-4438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4438","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4438","epss":0.00033,"percentile":0.09694,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4438","cwe":"CWE-20","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-4438","cwe":"CWE-88","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.017159999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-4438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4438","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=34015"],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4438","epss":0.00033,"percentile":0.09694,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4438","cwe":"CWE-20","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-4438","cwe":"CWE-88","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2025-6075","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6075","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"If the value passed to os.path.expandvars() is user-controlled a  performance degradation is possible when expanding environment  variables.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6075","epss":0.00031,"percentile":0.08938,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6075","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.016275},"relatedVulnerabilities":[{"id":"CVE-2025-6075","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6075","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c","https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427","https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84","https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca","https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742","https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba","https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c","https://github.com/python/cpython/issues/136065","https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/"],"description":"If the value passed to os.path.expandvars() is user-controlled a \nperformance degradation is possible when expanding environment \nvariables.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6075","epss":0.00031,"percentile":0.08938,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6075","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6075","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-6075","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6075","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"If the value passed to os.path.expandvars() is user-controlled a  performance degradation is possible when expanding environment  variables.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6075","epss":0.00031,"percentile":0.08938,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6075","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.016275},"relatedVulnerabilities":[{"id":"CVE-2025-6075","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6075","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c","https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427","https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84","https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca","https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742","https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba","https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c","https://github.com/python/cpython/issues/136065","https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/"],"description":"If the value passed to os.path.expandvars() is user-controlled a \nperformance degradation is possible when expanding environment \nvariables.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6075","epss":0.00031,"percentile":0.08938,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6075","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6075","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-6075","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6075","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"If the value passed to os.path.expandvars() is user-controlled a  performance degradation is possible when expanding environment  variables.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6075","epss":0.00031,"percentile":0.08938,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6075","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.016275},"relatedVulnerabilities":[{"id":"CVE-2025-6075","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6075","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c","https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427","https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84","https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca","https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742","https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba","https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c","https://github.com/python/cpython/issues/136065","https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/"],"description":"If the value passed to os.path.expandvars() is user-controlled a \nperformance degradation is possible when expanding environment \nvariables.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6075","epss":0.00031,"percentile":0.08938,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6075","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6075","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-6075","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-6075","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"If the value passed to os.path.expandvars() is user-controlled a  performance degradation is possible when expanding environment  variables.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6075","epss":0.00031,"percentile":0.08938,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6075","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.016275},"relatedVulnerabilities":[{"id":"CVE-2025-6075","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-6075","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c","https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427","https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84","https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca","https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742","https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba","https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c","https://github.com/python/cpython/issues/136065","https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/"],"description":"If the value passed to os.path.expandvars() is user-controlled a \nperformance degradation is possible when expanding environment \nvariables.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-6075","epss":0.00031,"percentile":0.08938,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-6075","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-6075","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2007-5686","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-5686","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.  NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.","cvss":[],"epss":[{"cve":"CVE-2007-5686","epss":0.00322,"percentile":0.55226,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-5686","cwe":"CWE-264","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0161},"relatedVulnerabilities":[{"id":"CVE-2007-5686","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-5686","namespace":"nvd:cpe","severity":"Medium","urls":["http://secunia.com/advisories/27215","http://www.securityfocus.com/archive/1/482129/100/100/threaded","http://www.securityfocus.com/archive/1/482857/100/0/threaded","http://www.securityfocus.com/bid/26048","http://www.vupen.com/english/advisories/2007/3474","https://issues.rpath.com/browse/RPL-1825"],"description":"initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.  NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:C/I:N/A:N","metrics":{"baseScore":4.9,"exploitabilityScore":4,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-5686","epss":0.00322,"percentile":0.55226,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-5686","cwe":"CWE-264","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"shadow","version":"1:4.17.4-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-5686","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-login.defs-893ab677af71bedc","name":"login.defs","version":"1:4.17.4-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND GPL-1.0-only AND GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:login.defs:login.defs:1\\:4.17.4-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/login.defs@1%3A4.17.4-2?arch=all&distro=debian-13&upstream=shadow","upstreams":[{"name":"shadow"}]}},{"vulnerability":{"id":"CVE-2007-5686","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-5686","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.  NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.","cvss":[],"epss":[{"cve":"CVE-2007-5686","epss":0.00322,"percentile":0.55226,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-5686","cwe":"CWE-264","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0161},"relatedVulnerabilities":[{"id":"CVE-2007-5686","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-5686","namespace":"nvd:cpe","severity":"Medium","urls":["http://secunia.com/advisories/27215","http://www.securityfocus.com/archive/1/482129/100/100/threaded","http://www.securityfocus.com/archive/1/482857/100/0/threaded","http://www.securityfocus.com/bid/26048","http://www.vupen.com/english/advisories/2007/3474","https://issues.rpath.com/browse/RPL-1825"],"description":"initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.  NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:C/I:N/A:N","metrics":{"baseScore":4.9,"exploitabilityScore":4,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-5686","epss":0.00322,"percentile":0.55226,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-5686","cwe":"CWE-264","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"shadow","version":"1:4.17.4-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-5686","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-passwd-83a4f25e33a63fb3","name":"passwd","version":"1:4.17.4-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND GPL-1.0-only AND GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:passwd:passwd:1\\:4.17.4-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/passwd@1%3A4.17.4-2?arch=arm64&distro=debian-13&upstream=shadow","upstreams":[{"name":"shadow"}]}},{"vulnerability":{"id":"CVE-2026-28388","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28388","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing.  Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application.  When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference.  Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it.  The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28388","epss":0.00021,"percentile":0.05832,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28388","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.01575},"relatedVulnerabilities":[{"id":"CVE-2026-28388","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28388","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/59c3b3158553ab53275bbbccca5cb305d591cf2e","https://github.com/openssl/openssl/commit/5a0b4930779cd2408880979db765db919da55139","https://github.com/openssl/openssl/commit/602542f2c0c2d5edb47128f93eac10b62aeeefb3","https://github.com/openssl/openssl/commit/a9d187dd1000130100fa7ab915f8513532cb3bb8","https://github.com/openssl/openssl/commit/d3a901e8d9f021f3e67d6cfbc12e768129862726","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: When a delta CRL that contains a Delta CRL Indicator extension\nis processed a NULL pointer dereference might happen if the required CRL\nNumber extension is missing.\n\nImpact summary: A NULL pointer dereference can trigger a crash which\nleads to a Denial of Service for an application.\n\nWhen CRL processing and delta CRL processing is enabled during X.509\ncertificate verification, the delta CRL processing does not check\nwhether the CRL Number extension is NULL before dereferencing it.\nWhen a malformed delta CRL file is being processed, this parameter\ncan be NULL, causing a NULL pointer dereference.\n\nExploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in\nthe verification context, the certificate being verified to contain a\nfreshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and\nan attacker to provide a malformed CRL to an application that processes it.\n\nThe vulnerability is limited to Denial of Service and cannot be escalated to\nachieve code execution or memory disclosure. For that reason the issue was\nassessed as Low severity according to our Security Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28388","epss":0.00021,"percentile":0.05832,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28388","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28388","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-libssl3t64-fbc7f38a88f32ab8","name":"libssl3t64","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-28388","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28388","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing.  Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application.  When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference.  Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it.  The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28388","epss":0.00021,"percentile":0.05832,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28388","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.01575},"relatedVulnerabilities":[{"id":"CVE-2026-28388","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28388","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/59c3b3158553ab53275bbbccca5cb305d591cf2e","https://github.com/openssl/openssl/commit/5a0b4930779cd2408880979db765db919da55139","https://github.com/openssl/openssl/commit/602542f2c0c2d5edb47128f93eac10b62aeeefb3","https://github.com/openssl/openssl/commit/a9d187dd1000130100fa7ab915f8513532cb3bb8","https://github.com/openssl/openssl/commit/d3a901e8d9f021f3e67d6cfbc12e768129862726","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: When a delta CRL that contains a Delta CRL Indicator extension\nis processed a NULL pointer dereference might happen if the required CRL\nNumber extension is missing.\n\nImpact summary: A NULL pointer dereference can trigger a crash which\nleads to a Denial of Service for an application.\n\nWhen CRL processing and delta CRL processing is enabled during X.509\ncertificate verification, the delta CRL processing does not check\nwhether the CRL Number extension is NULL before dereferencing it.\nWhen a malformed delta CRL file is being processed, this parameter\ncan be NULL, causing a NULL pointer dereference.\n\nExploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in\nthe verification context, the certificate being verified to contain a\nfreshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and\nan attacker to provide a malformed CRL to an application that processes it.\n\nThe vulnerability is limited to Denial of Service and cannot be escalated to\nachieve code execution or memory disclosure. For that reason the issue was\nassessed as Low severity according to our Security Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28388","epss":0.00021,"percentile":0.05832,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28388","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28388","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-0bb8411929274959","name":"openssl","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl:openssl:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl@3.5.5-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-28388","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28388","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing.  Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application.  When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference.  Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it.  The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy.  The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28388","epss":0.00021,"percentile":0.05832,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28388","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.01575},"relatedVulnerabilities":[{"id":"CVE-2026-28388","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28388","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/59c3b3158553ab53275bbbccca5cb305d591cf2e","https://github.com/openssl/openssl/commit/5a0b4930779cd2408880979db765db919da55139","https://github.com/openssl/openssl/commit/602542f2c0c2d5edb47128f93eac10b62aeeefb3","https://github.com/openssl/openssl/commit/a9d187dd1000130100fa7ab915f8513532cb3bb8","https://github.com/openssl/openssl/commit/d3a901e8d9f021f3e67d6cfbc12e768129862726","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: When a delta CRL that contains a Delta CRL Indicator extension\nis processed a NULL pointer dereference might happen if the required CRL\nNumber extension is missing.\n\nImpact summary: A NULL pointer dereference can trigger a crash which\nleads to a Denial of Service for an application.\n\nWhen CRL processing and delta CRL processing is enabled during X.509\ncertificate verification, the delta CRL processing does not check\nwhether the CRL Number extension is NULL before dereferencing it.\nWhen a malformed delta CRL file is being processed, this parameter\ncan be NULL, causing a NULL pointer dereference.\n\nExploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in\nthe verification context, the certificate being verified to contain a\nfreshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and\nan attacker to provide a malformed CRL to an application that processes it.\n\nThe vulnerability is limited to Denial of Service and cannot be escalated to\nachieve code execution or memory disclosure. For that reason the issue was\nassessed as Low severity according to our Security Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28388","epss":0.00021,"percentile":0.05832,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28388","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28388","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-provider-legacy-58635bb375629269","name":"openssl-provider-legacy","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl-provider-legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider-legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl-provider-legacy@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2019-1010023","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010023","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010023","epss":0.00313,"percentile":0.54465,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01565},"relatedVulnerabilities":[{"id":"CVE-2019-1010023","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010023","namespace":"nvd:cpe","severity":"High","urls":["http://www.securityfocus.com/bid/109167","https://security-tracker.debian.org/tracker/CVE-2019-1010023","https://sourceware.org/bugzilla/show_bug.cgi?id=22851","https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010023"],"description":"GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.8,"exploitabilityScore":2.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":6.8,"exploitabilityScore":8.6,"impactScore":6.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010023","epss":0.00313,"percentile":0.54465,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010023","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010023","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010023","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010023","epss":0.00313,"percentile":0.54465,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01565},"relatedVulnerabilities":[{"id":"CVE-2019-1010023","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010023","namespace":"nvd:cpe","severity":"High","urls":["http://www.securityfocus.com/bid/109167","https://security-tracker.debian.org/tracker/CVE-2019-1010023","https://sourceware.org/bugzilla/show_bug.cgi?id=22851","https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010023"],"description":"GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.8,"exploitabilityScore":2.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":6.8,"exploitabilityScore":8.6,"impactScore":6.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010023","epss":0.00313,"percentile":0.54465,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010023","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010023","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010023","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010023","epss":0.00313,"percentile":0.54465,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01565},"relatedVulnerabilities":[{"id":"CVE-2019-1010023","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010023","namespace":"nvd:cpe","severity":"High","urls":["http://www.securityfocus.com/bid/109167","https://security-tracker.debian.org/tracker/CVE-2019-1010023","https://sourceware.org/bugzilla/show_bug.cgi?id=22851","https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010023"],"description":"GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.8,"exploitabilityScore":2.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":6.8,"exploitabilityScore":8.6,"impactScore":6.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010023","epss":0.00313,"percentile":0.54465,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010023","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010023","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010023","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010023","epss":0.00313,"percentile":0.54465,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01565},"relatedVulnerabilities":[{"id":"CVE-2019-1010023","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010023","namespace":"nvd:cpe","severity":"High","urls":["http://www.securityfocus.com/bid/109167","https://security-tracker.debian.org/tracker/CVE-2019-1010023","https://sourceware.org/bugzilla/show_bug.cgi?id=22851","https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010023"],"description":"GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.8,"exploitabilityScore":2.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":6.8,"exploitabilityScore":8.6,"impactScore":6.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010023","epss":0.00313,"percentile":0.54465,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010023","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-35414","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35414","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35414","epss":0.0002,"percentile":0.05392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35414","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.015600000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-35414","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35414","namespace":"nvd:cpe","severity":"High","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35414","epss":0.0002,"percentile":0.05392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35414","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35414","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-35414","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35414","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35414","epss":0.0002,"percentile":0.05392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35414","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.015600000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-35414","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35414","namespace":"nvd:cpe","severity":"High","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35414","epss":0.0002,"percentile":0.05392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35414","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35414","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-35414","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35414","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35414","epss":0.0002,"percentile":0.05392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35414","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.015600000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-35414","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35414","namespace":"nvd:cpe","severity":"High","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35414","epss":0.0002,"percentile":0.05392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35414","cwe":"CWE-670","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35414","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2023-51592","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-51592","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"BlueZ Audio Profile AVRCP parse_media_folder Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.  The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20854.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51592","epss":0.00029,"percentile":0.08354,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51592","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.015515000000000001},"relatedVulnerabilities":[{"id":"CVE-2023-51592","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-51592","namespace":"nvd:cpe","severity":"Medium","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1905/"],"description":"BlueZ Audio Profile AVRCP parse_media_folder Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.\n\nThe specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20854.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":1.2,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51592","epss":0.00029,"percentile":0.08354,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51592","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-51592","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bluez-cef294de34b9bafa","name":"bluez","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:bluez:bluez:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bluez@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-51592","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-51592","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"BlueZ Audio Profile AVRCP parse_media_folder Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.  The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20854.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51592","epss":0.00029,"percentile":0.08354,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51592","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.015515000000000001},"relatedVulnerabilities":[{"id":"CVE-2023-51592","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-51592","namespace":"nvd:cpe","severity":"Medium","urls":["https://www.zerodayinitiative.com/advisories/ZDI-23-1905/"],"description":"BlueZ Audio Profile AVRCP parse_media_folder Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.\n\nThe specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20854.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.7,"exploitabilityScore":2.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":1.2,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-51592","epss":0.00029,"percentile":0.08354,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-51592","cwe":"CWE-125","source":"zdi-disclosures@trendmicro.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bluez","version":"5.82-1.1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-51592","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbluetooth3-ebdcc458e75f0aed","name":"libbluetooth3","version":"5.82-1.1+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libbluetooth3:libbluetooth3:5.82-1.1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbluetooth3@5.82-1.1%2Brpt1?arch=arm64&distro=debian-13&upstream=bluez","upstreams":[{"name":"bluez"}]}},{"vulnerability":{"id":"CVE-2025-53906","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-53906","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53906","epss":0.00033,"percentile":0.09695,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53906","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.015014999999999999},"relatedVulnerabilities":[{"id":"CVE-2025-53906","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-53906","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/586294a04179d855c3d1d4ee5ea83931963680b8","https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86","http://www.openwall.com/lists/oss-security/2025/07/15/2","http://www.openwall.com/lists/oss-security/2026/04/01/4"],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53906","epss":0.00033,"percentile":0.09695,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53906","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-53906","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2025-53906","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-53906","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53906","epss":0.00033,"percentile":0.09695,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53906","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.015014999999999999},"relatedVulnerabilities":[{"id":"CVE-2025-53906","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-53906","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/586294a04179d855c3d1d4ee5ea83931963680b8","https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86","http://www.openwall.com/lists/oss-security/2025/07/15/2","http://www.openwall.com/lists/oss-security/2026/04/01/4"],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53906","epss":0.00033,"percentile":0.09695,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53906","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-53906","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2025-53906","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-53906","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53906","epss":0.00033,"percentile":0.09695,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53906","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.015014999999999999},"relatedVulnerabilities":[{"id":"CVE-2025-53906","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-53906","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/586294a04179d855c3d1d4ee5ea83931963680b8","https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86","http://www.openwall.com/lists/oss-security/2025/07/15/2","http://www.openwall.com/lists/oss-security/2026/04/01/4"],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53906","epss":0.00033,"percentile":0.09695,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53906","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-53906","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2021-30004","dataSource":"https://security-tracker.debian.org/tracker/CVE-2021-30004","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.","cvss":[],"epss":[{"cve":"CVE-2021-30004","epss":0.00296,"percentile":0.52895,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-30004","cwe":"CWE-20","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.014800000000000002},"relatedVulnerabilities":[{"id":"CVE-2021-30004","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-30004","namespace":"nvd:cpe","severity":"Medium","urls":["https://security.gentoo.org/glsa/202309-16","https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15"],"description":"In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-30004","epss":0.00296,"percentile":0.52895,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-30004","cwe":"CWE-20","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"wpa","version":"2:2.10-24"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2021-30004","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-wpasupplicant-f998381dada0f060","name":"wpasupplicant","version":"2:2.10-24","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND GPL-2.0-only AND ISC AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:wpasupplicant:wpasupplicant:2\\:2.10-24:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/wpasupplicant@2%3A2.10-24?arch=arm64&distro=debian-13&upstream=wpa","upstreams":[{"name":"wpa"}]}},{"vulnerability":{"id":"CVE-2026-5704","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5704","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5704","epss":0.00028,"percentile":0.07978,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5704","cwe":"CWE-434","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0147},"relatedVulnerabilities":[{"id":"CVE-2026-5704","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5704","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-5704","https://bugzilla.redhat.com/show_bug.cgi?id=2455360","http://www.openwall.com/lists/oss-security/2026/04/11/10","http://www.openwall.com/lists/oss-security/2026/04/11/11","http://www.openwall.com/lists/oss-security/2026/04/12/2"],"description":"A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5704","epss":0.00028,"percentile":0.07978,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5704","cwe":"CWE-434","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"tar","version":"1.35+dfsg-3.1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5704","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-tar-44ddb5684c898749","name":"tar","version":"1.35+dfsg-3.1","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:tar:tar:1.35\\+dfsg-3.1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/tar@1.35%2Bdfsg-3.1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-3446","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3446","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use \"validate=True\" to enable stricter processing of base64 data.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3446","epss":0.00025,"percentile":0.06987,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3446","cwe":"CWE-345","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.01375},"relatedVulnerabilities":[{"id":"CVE-2026-3446","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3446","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474","https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e","https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa","https://github.com/python/cpython/issues/145264","https://github.com/python/cpython/pull/145267","https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/"],"description":"When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use \"validate=True\" to enable stricter processing of base64 data.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3446","epss":0.00025,"percentile":0.06987,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3446","cwe":"CWE-345","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3446","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-3446","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3446","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use \"validate=True\" to enable stricter processing of base64 data.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3446","epss":0.00025,"percentile":0.06987,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3446","cwe":"CWE-345","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.01375},"relatedVulnerabilities":[{"id":"CVE-2026-3446","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3446","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474","https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e","https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa","https://github.com/python/cpython/issues/145264","https://github.com/python/cpython/pull/145267","https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/"],"description":"When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use \"validate=True\" to enable stricter processing of base64 data.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3446","epss":0.00025,"percentile":0.06987,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3446","cwe":"CWE-345","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3446","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-3446","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3446","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use \"validate=True\" to enable stricter processing of base64 data.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3446","epss":0.00025,"percentile":0.06987,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3446","cwe":"CWE-345","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.01375},"relatedVulnerabilities":[{"id":"CVE-2026-3446","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3446","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474","https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e","https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa","https://github.com/python/cpython/issues/145264","https://github.com/python/cpython/pull/145267","https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/"],"description":"When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use \"validate=True\" to enable stricter processing of base64 data.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3446","epss":0.00025,"percentile":0.06987,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3446","cwe":"CWE-345","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3446","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-3446","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3446","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use \"validate=True\" to enable stricter processing of base64 data.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3446","epss":0.00025,"percentile":0.06987,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3446","cwe":"CWE-345","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.01375},"relatedVulnerabilities":[{"id":"CVE-2026-3446","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3446","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474","https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e","https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa","https://github.com/python/cpython/issues/145264","https://github.com/python/cpython/pull/145267","https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/"],"description":"When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use \"validate=True\" to enable stricter processing of base64 data.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3446","epss":0.00025,"percentile":0.06987,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3446","cwe":"CWE-345","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3446","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2021-45346","dataSource":"https://security-tracker.debian.org/tracker/CVE-2021-45346","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.","cvss":[],"epss":[{"cve":"CVE-2021-45346","epss":0.00271,"percentile":0.5048,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-45346","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.013550000000000001},"relatedVulnerabilities":[{"id":"CVE-2021-45346","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-45346","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/guyinatuxedo/sqlite3_record_leaking","https://security.netapp.com/advisory/ntap-20220303-0001/","https://sqlite.org/forum/forumpost/056d557c2f8c452ed5","https://sqlite.org/forum/forumpost/53de8864ba114bf6","https://www.sqlite.org/cves.html#status_of_recent_sqlite_cves"],"description":"A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:S/C:P/I:N/A:N","metrics":{"baseScore":4,"exploitabilityScore":8,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-45346","epss":0.00271,"percentile":0.5048,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-45346","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"sqlite3","version":"3.46.1-7+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2021-45346","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsqlite3-0-9f6b91e17f2f8e97","name":"libsqlite3-0","version":"3.46.1-7+deb13u1","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsqlite3-0:libsqlite3-0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsqlite3-0:libsqlite3_0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsqlite3_0:libsqlite3-0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsqlite3_0:libsqlite3_0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsqlite3:libsqlite3-0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsqlite3:libsqlite3_0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsqlite3-0@3.46.1-7%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=sqlite3","upstreams":[{"name":"sqlite3"}]}},{"vulnerability":{"id":"CVE-2025-14524","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14524","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14524","epss":0.00026,"percentile":0.07206,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14524","cwe":"CWE-601","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.01339},"relatedVulnerabilities":[{"id":"CVE-2025-14524","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14524","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-14524.html","https://curl.se/docs/CVE-2025-14524.json","https://hackerone.com/reports/3459417","http://www.openwall.com/lists/oss-security/2026/01/07/4"],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14524","epss":0.00026,"percentile":0.07206,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14524","cwe":"CWE-601","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14524","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-14524","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14524","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14524","epss":0.00026,"percentile":0.07206,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14524","cwe":"CWE-601","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.01339},"relatedVulnerabilities":[{"id":"CVE-2025-14524","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14524","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-14524.html","https://curl.se/docs/CVE-2025-14524.json","https://hackerone.com/reports/3459417","http://www.openwall.com/lists/oss-security/2026/01/07/4"],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14524","epss":0.00026,"percentile":0.07206,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14524","cwe":"CWE-601","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14524","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2025-14524","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14524","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14524","epss":0.00026,"percentile":0.07206,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14524","cwe":"CWE-601","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.01339},"relatedVulnerabilities":[{"id":"CVE-2025-14524","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14524","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-14524.html","https://curl.se/docs/CVE-2025-14524.json","https://hackerone.com/reports/3459417","http://www.openwall.com/lists/oss-security/2026/01/07/4"],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14524","epss":0.00026,"percentile":0.07206,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14524","cwe":"CWE-601","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14524","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2025-13837","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13837","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13837","epss":0.00025,"percentile":0.07029,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13837","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.013125000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-13837","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13837","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/568342cfc8f002d9a15f30238f26b9d2e0e79036","https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b","https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70","https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba","https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb","https://github.com/python/cpython/commit/cefee7d118a26ef6cd43db59bb9d98ca9a331111","https://github.com/python/cpython/issues/119342","https://github.com/python/cpython/pull/119343","https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/"],"description":"When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13837","epss":0.00025,"percentile":0.07029,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13837","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13837","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-13837","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13837","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13837","epss":0.00025,"percentile":0.07029,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13837","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.013125000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-13837","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13837","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/568342cfc8f002d9a15f30238f26b9d2e0e79036","https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b","https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70","https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba","https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb","https://github.com/python/cpython/commit/cefee7d118a26ef6cd43db59bb9d98ca9a331111","https://github.com/python/cpython/issues/119342","https://github.com/python/cpython/pull/119343","https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/"],"description":"When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13837","epss":0.00025,"percentile":0.07029,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13837","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13837","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-13837","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13837","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13837","epss":0.00025,"percentile":0.07029,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13837","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.013125000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-13837","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13837","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/568342cfc8f002d9a15f30238f26b9d2e0e79036","https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b","https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70","https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba","https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb","https://github.com/python/cpython/commit/cefee7d118a26ef6cd43db59bb9d98ca9a331111","https://github.com/python/cpython/issues/119342","https://github.com/python/cpython/pull/119343","https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/"],"description":"When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13837","epss":0.00025,"percentile":0.07029,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13837","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13837","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-13837","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13837","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13837","epss":0.00025,"percentile":0.07029,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13837","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.013125000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-13837","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13837","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/568342cfc8f002d9a15f30238f26b9d2e0e79036","https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b","https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70","https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba","https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb","https://github.com/python/cpython/commit/cefee7d118a26ef6cd43db59bb9d98ca9a331111","https://github.com/python/cpython/issues/119342","https://github.com/python/cpython/pull/119343","https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/"],"description":"When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13837","epss":0.00025,"percentile":0.07029,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13837","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13837","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-6019","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6019","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6019","epss":0.00051,"percentile":0.1577,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6019","cwe":"CWE-150","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.013005000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6019","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6019","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c","https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104","https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8","https://github.com/python/cpython/issues/90309","https://github.com/python/cpython/pull/148848","https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/"],"description":"http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6019","epss":0.00051,"percentile":0.1577,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6019","cwe":"CWE-150","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6019","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-6019","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6019","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6019","epss":0.00051,"percentile":0.1577,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6019","cwe":"CWE-150","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.013005000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6019","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6019","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c","https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104","https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8","https://github.com/python/cpython/issues/90309","https://github.com/python/cpython/pull/148848","https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/"],"description":"http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6019","epss":0.00051,"percentile":0.1577,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6019","cwe":"CWE-150","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6019","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-6019","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6019","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6019","epss":0.00051,"percentile":0.1577,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6019","cwe":"CWE-150","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.013005000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6019","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6019","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c","https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104","https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8","https://github.com/python/cpython/issues/90309","https://github.com/python/cpython/pull/148848","https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/"],"description":"http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6019","epss":0.00051,"percentile":0.1577,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6019","cwe":"CWE-150","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6019","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-6019","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6019","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6019","epss":0.00051,"percentile":0.1577,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6019","cwe":"CWE-150","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.013005000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6019","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6019","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c","https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104","https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8","https://github.com/python/cpython/issues/90309","https://github.com/python/cpython/pull/148848","https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/"],"description":"http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6019","epss":0.00051,"percentile":0.1577,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6019","cwe":"CWE-150","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6019","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-2673","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-2673","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword.  Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server.  If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported.  As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction).  OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers.  The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included.  The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security.  Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group.  The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'.  No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary.  OpenSSL 3.6 and 3.5 are vulnerable to this issue.  OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.  OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2673","epss":0.00017,"percentile":0.04439,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2673","cwe":"CWE-757","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-08","kind":"first-observed"}]},"advisories":[],"risk":0.012750000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-2673","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-2673","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f","https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34","https://openssl-library.org/news/secadv/20260313.txt","http://www.openwall.com/lists/oss-security/2026/03/13/3"],"description":"Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\npreferred key exchange group when its key exchange group configuration includes\nthe default by using the 'DEFAULT' keyword.\n\nImpact summary: A less preferred key exchange may be used even when a more\npreferred group is supported by both client and server, if the group\nwas not included among the client's initial predicated keyshares.\nThis will sometimes be the case with the new hybrid post-quantum groups,\nif the client chooses to defer their use until specifically requested by\nthe server.\n\nIf an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to\ninterpolate the built-in default group list into its own configuration, perhaps\nadding or removing specific elements, then an implementation defect causes the\n'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups\nwere treated as a single sufficiently secure 'tuple', with the server not\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\nwas mutually supported.\n\nAs a result, the client and server might fail to negotiate a mutually supported\npost-quantum key agreement group, such as 'X25519MLKEM768', if the client's\nconfiguration results in only 'classical' groups (such as 'X25519' being the\nonly ones in the client's initial keyshare prediction).\n\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\n1.3 key agreement group on TLS servers.  The old syntax had a single 'flat'\nlist of groups, and treated all the supported groups as sufficiently secure.\nIf any of the keyshares predicted by the client were supported by the server\nthe most preferred among these was selected, even if other groups supported by\nthe client, but not included in the list of predicted keyshares would have been\nmore preferred, if included.\n\nThe new syntax partitions the groups into distinct 'tuples' of roughly\nequivalent security.  Within each tuple the most preferred group included among\nthe client's predicted keyshares is chosen, but if the client supports a group\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\nthe server will ask the client to retry the ClientHello (by issuing a Hello\nRetry Request or HRR) with the most preferred mutually supported group.\n\nThe above works as expected when the server's configuration uses the built-in\ndefault group list, or explicitly defines its own list by directly defining the\nvarious desired groups and group 'tuples'.\n\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\noutside the FIPS boundary.\n\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\n\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2673","epss":0.00017,"percentile":0.04439,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2673","cwe":"CWE-757","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-2673","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-libssl3t64-fbc7f38a88f32ab8","name":"libssl3t64","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-2673","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-2673","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword.  Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server.  If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported.  As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction).  OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers.  The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included.  The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security.  Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group.  The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'.  No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary.  OpenSSL 3.6 and 3.5 are vulnerable to this issue.  OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.  OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2673","epss":0.00017,"percentile":0.04439,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2673","cwe":"CWE-757","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-08","kind":"first-observed"}]},"advisories":[],"risk":0.012750000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-2673","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-2673","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f","https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34","https://openssl-library.org/news/secadv/20260313.txt","http://www.openwall.com/lists/oss-security/2026/03/13/3"],"description":"Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\npreferred key exchange group when its key exchange group configuration includes\nthe default by using the 'DEFAULT' keyword.\n\nImpact summary: A less preferred key exchange may be used even when a more\npreferred group is supported by both client and server, if the group\nwas not included among the client's initial predicated keyshares.\nThis will sometimes be the case with the new hybrid post-quantum groups,\nif the client chooses to defer their use until specifically requested by\nthe server.\n\nIf an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to\ninterpolate the built-in default group list into its own configuration, perhaps\nadding or removing specific elements, then an implementation defect causes the\n'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups\nwere treated as a single sufficiently secure 'tuple', with the server not\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\nwas mutually supported.\n\nAs a result, the client and server might fail to negotiate a mutually supported\npost-quantum key agreement group, such as 'X25519MLKEM768', if the client's\nconfiguration results in only 'classical' groups (such as 'X25519' being the\nonly ones in the client's initial keyshare prediction).\n\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\n1.3 key agreement group on TLS servers.  The old syntax had a single 'flat'\nlist of groups, and treated all the supported groups as sufficiently secure.\nIf any of the keyshares predicted by the client were supported by the server\nthe most preferred among these was selected, even if other groups supported by\nthe client, but not included in the list of predicted keyshares would have been\nmore preferred, if included.\n\nThe new syntax partitions the groups into distinct 'tuples' of roughly\nequivalent security.  Within each tuple the most preferred group included among\nthe client's predicted keyshares is chosen, but if the client supports a group\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\nthe server will ask the client to retry the ClientHello (by issuing a Hello\nRetry Request or HRR) with the most preferred mutually supported group.\n\nThe above works as expected when the server's configuration uses the built-in\ndefault group list, or explicitly defines its own list by directly defining the\nvarious desired groups and group 'tuples'.\n\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\noutside the FIPS boundary.\n\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\n\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2673","epss":0.00017,"percentile":0.04439,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2673","cwe":"CWE-757","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-2673","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-0bb8411929274959","name":"openssl","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl:openssl:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl@3.5.5-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-2673","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-2673","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword.  Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server.  If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported.  As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction).  OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers.  The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included.  The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security.  Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group.  The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'.  No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary.  OpenSSL 3.6 and 3.5 are vulnerable to this issue.  OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.  OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2673","epss":0.00017,"percentile":0.04439,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2673","cwe":"CWE-757","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-08","kind":"first-observed"}]},"advisories":[],"risk":0.012750000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-2673","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-2673","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f","https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34","https://openssl-library.org/news/secadv/20260313.txt","http://www.openwall.com/lists/oss-security/2026/03/13/3"],"description":"Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\npreferred key exchange group when its key exchange group configuration includes\nthe default by using the 'DEFAULT' keyword.\n\nImpact summary: A less preferred key exchange may be used even when a more\npreferred group is supported by both client and server, if the group\nwas not included among the client's initial predicated keyshares.\nThis will sometimes be the case with the new hybrid post-quantum groups,\nif the client chooses to defer their use until specifically requested by\nthe server.\n\nIf an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to\ninterpolate the built-in default group list into its own configuration, perhaps\nadding or removing specific elements, then an implementation defect causes the\n'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups\nwere treated as a single sufficiently secure 'tuple', with the server not\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\nwas mutually supported.\n\nAs a result, the client and server might fail to negotiate a mutually supported\npost-quantum key agreement group, such as 'X25519MLKEM768', if the client's\nconfiguration results in only 'classical' groups (such as 'X25519' being the\nonly ones in the client's initial keyshare prediction).\n\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\n1.3 key agreement group on TLS servers.  The old syntax had a single 'flat'\nlist of groups, and treated all the supported groups as sufficiently secure.\nIf any of the keyshares predicted by the client were supported by the server\nthe most preferred among these was selected, even if other groups supported by\nthe client, but not included in the list of predicted keyshares would have been\nmore preferred, if included.\n\nThe new syntax partitions the groups into distinct 'tuples' of roughly\nequivalent security.  Within each tuple the most preferred group included among\nthe client's predicted keyshares is chosen, but if the client supports a group\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\nthe server will ask the client to retry the ClientHello (by issuing a Hello\nRetry Request or HRR) with the most preferred mutually supported group.\n\nThe above works as expected when the server's configuration uses the built-in\ndefault group list, or explicitly defines its own list by directly defining the\nvarious desired groups and group 'tuples'.\n\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\noutside the FIPS boundary.\n\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\n\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2673","epss":0.00017,"percentile":0.04439,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2673","cwe":"CWE-757","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-2673","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-provider-legacy-58635bb375629269","name":"openssl-provider-legacy","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl-provider-legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider-legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl-provider-legacy@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-31790","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-31790","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer.  Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker.  RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced.  If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext.  As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue.  The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31790","epss":0.00017,"percentile":0.04017,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31790","cwe":"CWE-754","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.012750000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-31790","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-31790","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/001e01db3e996e13ffc72386fe79d03a6683b5ac","https://github.com/openssl/openssl/commit/abd8b2eec7e3f3fda60ecfb68498b246b52af482","https://github.com/openssl/openssl/commit/b922e24e5b23ffb9cb9e14cadff23d91e9f7e406","https://github.com/openssl/openssl/commit/d5f8e71cd0a54e961d0c3b174348f8308486f790","https://github.com/openssl/openssl/commit/eed200f58cd8645ed77e46b7e9f764e284df379e","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: Applications using RSASVE key encapsulation to establish\na secret encryption key can send contents of an uninitialized memory buffer to\na malicious peer.\n\nImpact summary: The uninitialized buffer might contain sensitive data from the\nprevious execution of the application process which leads to sensitive data\nleakage to an attacker.\n\nRSA_public_encrypt() returns the number of bytes written on success and -1\non error. The affected code tests only whether the return value is non-zero.\nAs a result, if RSA encryption fails, encapsulation can still return success to\nthe caller, set the output lengths, and leave the caller to use the contents of\nthe ciphertext buffer as if a valid KEM ciphertext had been produced.\n\nIf applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an\nattacker-supplied invalid RSA public key without first validating that key,\nthen this may cause stale or uninitialized contents of the caller-provided\nciphertext buffer to be disclosed to the attacker in place of the KEM\nciphertext.\n\nAs a workaround calling EVP_PKEY_public_check() or\nEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate\nthe issue.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31790","epss":0.00017,"percentile":0.04017,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31790","cwe":"CWE-754","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-31790","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-libssl3t64-fbc7f38a88f32ab8","name":"libssl3t64","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-31790","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-31790","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer.  Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker.  RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced.  If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext.  As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue.  The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31790","epss":0.00017,"percentile":0.04017,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31790","cwe":"CWE-754","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.012750000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-31790","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-31790","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/001e01db3e996e13ffc72386fe79d03a6683b5ac","https://github.com/openssl/openssl/commit/abd8b2eec7e3f3fda60ecfb68498b246b52af482","https://github.com/openssl/openssl/commit/b922e24e5b23ffb9cb9e14cadff23d91e9f7e406","https://github.com/openssl/openssl/commit/d5f8e71cd0a54e961d0c3b174348f8308486f790","https://github.com/openssl/openssl/commit/eed200f58cd8645ed77e46b7e9f764e284df379e","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: Applications using RSASVE key encapsulation to establish\na secret encryption key can send contents of an uninitialized memory buffer to\na malicious peer.\n\nImpact summary: The uninitialized buffer might contain sensitive data from the\nprevious execution of the application process which leads to sensitive data\nleakage to an attacker.\n\nRSA_public_encrypt() returns the number of bytes written on success and -1\non error. The affected code tests only whether the return value is non-zero.\nAs a result, if RSA encryption fails, encapsulation can still return success to\nthe caller, set the output lengths, and leave the caller to use the contents of\nthe ciphertext buffer as if a valid KEM ciphertext had been produced.\n\nIf applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an\nattacker-supplied invalid RSA public key without first validating that key,\nthen this may cause stale or uninitialized contents of the caller-provided\nciphertext buffer to be disclosed to the attacker in place of the KEM\nciphertext.\n\nAs a workaround calling EVP_PKEY_public_check() or\nEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate\nthe issue.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31790","epss":0.00017,"percentile":0.04017,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31790","cwe":"CWE-754","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-31790","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-0bb8411929274959","name":"openssl","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl:openssl:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl@3.5.5-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-31790","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-31790","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer.  Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker.  RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced.  If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext.  As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue.  The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31790","epss":0.00017,"percentile":0.04017,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31790","cwe":"CWE-754","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.5-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.5-1~deb13u2","date":"2026-04-07","kind":"advisory"}]},"advisories":[{"id":"DSA-6201-1","link":"https://security-tracker.debian.org/tracker/DSA-6201-1"}],"risk":0.012750000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-31790","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-31790","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/001e01db3e996e13ffc72386fe79d03a6683b5ac","https://github.com/openssl/openssl/commit/abd8b2eec7e3f3fda60ecfb68498b246b52af482","https://github.com/openssl/openssl/commit/b922e24e5b23ffb9cb9e14cadff23d91e9f7e406","https://github.com/openssl/openssl/commit/d5f8e71cd0a54e961d0c3b174348f8308486f790","https://github.com/openssl/openssl/commit/eed200f58cd8645ed77e46b7e9f764e284df379e","https://openssl-library.org/news/secadv/20260407.txt"],"description":"Issue summary: Applications using RSASVE key encapsulation to establish\na secret encryption key can send contents of an uninitialized memory buffer to\na malicious peer.\n\nImpact summary: The uninitialized buffer might contain sensitive data from the\nprevious execution of the application process which leads to sensitive data\nleakage to an attacker.\n\nRSA_public_encrypt() returns the number of bytes written on success and -1\non error. The affected code tests only whether the return value is non-zero.\nAs a result, if RSA encryption fails, encapsulation can still return success to\nthe caller, set the output lengths, and leave the caller to use the contents of\nthe ciphertext buffer as if a valid KEM ciphertext had been produced.\n\nIf applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an\nattacker-supplied invalid RSA public key without first validating that key,\nthen this may cause stale or uninitialized contents of the caller-provided\nciphertext buffer to be disclosed to the attacker in place of the KEM\nciphertext.\n\nAs a workaround calling EVP_PKEY_public_check() or\nEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate\nthe issue.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31790","epss":0.00017,"percentile":0.04017,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-31790","cwe":"CWE-754","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-31790","versionConstraint":"< 3.5.5-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.5-1~deb13u2"}}],"artifact":{"id":"Package-deb-openssl-provider-legacy-58635bb375629269","name":"openssl-provider-legacy","version":"3.5.5-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND LicenseRef-Artistic AND GPL-1.0-only AND GPL-1.0-or-later"],"cpes":["cpe:2.3:a:openssl-provider-legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider-legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider_legacy:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl-provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl_provider:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl-provider-legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl_provider_legacy:3.5.5-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssl-provider-legacy@3.5.5-1~deb13u1?arch=arm64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2025-53905","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-53905","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53905","epss":0.00028,"percentile":0.07755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53905","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.012739999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-53905","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-53905","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea8e1438b8fb116b239","https://github.com/vim/vim/security/advisories/GHSA-74v4-f3x9-ppvr","http://www.openwall.com/lists/oss-security/2025/07/15/1"],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53905","epss":0.00028,"percentile":0.07755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53905","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-53905","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2025-53905","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-53905","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53905","epss":0.00028,"percentile":0.07755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53905","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.012739999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-53905","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-53905","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea8e1438b8fb116b239","https://github.com/vim/vim/security/advisories/GHSA-74v4-f3x9-ppvr","http://www.openwall.com/lists/oss-security/2025/07/15/1"],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53905","epss":0.00028,"percentile":0.07755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53905","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-53905","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2025-53905","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-53905","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53905","epss":0.00028,"percentile":0.07755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53905","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.012739999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-53905","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-53905","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea8e1438b8fb116b239","https://github.com/vim/vim/security/advisories/GHSA-74v4-f3x9-ppvr","http://www.openwall.com/lists/oss-security/2025/07/15/1"],"description":"Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-53905","epss":0.00028,"percentile":0.07755,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-53905","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-53905","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-3784","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3784","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3784","epss":0.00022,"percentile":0.06133,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3784","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.012649999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-3784","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3784","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2026-3784.html","https://curl.se/docs/CVE-2026-3784.json","https://hackerone.com/reports/3584903","http://www.openwall.com/lists/oss-security/2026/03/11/3"],"description":"curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a\nserver, even if the new request uses different credentials for the HTTP proxy.\nThe proper behavior is to create or use a separate connection.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3784","epss":0.00022,"percentile":0.06133,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3784","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3784","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-3784","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3784","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3784","epss":0.00022,"percentile":0.06133,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3784","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.012649999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-3784","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3784","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2026-3784.html","https://curl.se/docs/CVE-2026-3784.json","https://hackerone.com/reports/3584903","http://www.openwall.com/lists/oss-security/2026/03/11/3"],"description":"curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a\nserver, even if the new request uses different credentials for the HTTP proxy.\nThe proper behavior is to create or use a separate connection.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3784","epss":0.00022,"percentile":0.06133,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3784","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3784","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-3784","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3784","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3784","epss":0.00022,"percentile":0.06133,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3784","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.012649999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-3784","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3784","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2026-3784.html","https://curl.se/docs/CVE-2026-3784.json","https://hackerone.com/reports/3584903","http://www.openwall.com/lists/oss-security/2026/03/11/3"],"description":"curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a\nserver, even if the new request uses different credentials for the HTTP proxy.\nThe proper behavior is to create or use a separate connection.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3784","epss":0.00022,"percentile":0.06133,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3784","cwe":"CWE-305","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3784","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2023-42366","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-42366","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-42366","epss":0.00024,"percentile":0.06764,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-42366","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0126},"relatedVulnerabilities":[{"id":"CVE-2023-42366","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-42366","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.busybox.net/show_bug.cgi?id=15874","https://security.netapp.com/advisory/ntap-20241206-0007/"],"description":"A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-42366","epss":0.00024,"percentile":0.06764,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-42366","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6+b7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-42366","versionConstraint":"none (unknown)"}},{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-42366","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-busybox-53b4a72165e5bbad","name":"busybox","version":"1:1.37.0-6+b7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:busybox:busybox:1\\:1.37.0-6\\+b7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/busybox@1%3A1.37.0-6%2Bb7?arch=arm64&distro=debian-13&upstream=busybox%401%3A1.37.0-6","upstreams":[{"name":"busybox","version":"1:1.37.0-6"}]}},{"vulnerability":{"id":"CVE-2024-26458","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-26458","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.","cvss":[],"epss":[{"cve":"CVE-2024-26458","epss":0.0025,"percentile":0.48191,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26458","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0125},"relatedVulnerabilities":[{"id":"CVE-2024-26458","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-26458","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md","https://security.netapp.com/advisory/ntap-20240415-0010/"],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-26458","epss":0.0025,"percentile":0.48191,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26458","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-26458","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-krb5-locales-47c43824bf48a66c","name":"krb5-locales","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:krb5-locales:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5-locales:krb5_locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5_locales:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5_locales:krb5_locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5:krb5_locales:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/krb5-locales@1.21.3-5?arch=all&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2024-26458","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-26458","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.","cvss":[],"epss":[{"cve":"CVE-2024-26458","epss":0.0025,"percentile":0.48191,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26458","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0125},"relatedVulnerabilities":[{"id":"CVE-2024-26458","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-26458","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md","https://security.netapp.com/advisory/ntap-20240415-0010/"],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-26458","epss":0.0025,"percentile":0.48191,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26458","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-26458","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgssapi-krb5-2-f126828866b7e868","name":"libgssapi-krb5-2","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgssapi-krb5-2@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2024-26458","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-26458","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.","cvss":[],"epss":[{"cve":"CVE-2024-26458","epss":0.0025,"percentile":0.48191,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26458","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0125},"relatedVulnerabilities":[{"id":"CVE-2024-26458","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-26458","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md","https://security.netapp.com/advisory/ntap-20240415-0010/"],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-26458","epss":0.0025,"percentile":0.48191,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26458","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-26458","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libk5crypto3-83b2cd2d3fde8f6b","name":"libk5crypto3","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libk5crypto3:libk5crypto3:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libk5crypto3@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2024-26458","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-26458","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.","cvss":[],"epss":[{"cve":"CVE-2024-26458","epss":0.0025,"percentile":0.48191,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26458","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0125},"relatedVulnerabilities":[{"id":"CVE-2024-26458","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-26458","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md","https://security.netapp.com/advisory/ntap-20240415-0010/"],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-26458","epss":0.0025,"percentile":0.48191,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26458","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-26458","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libkrb5-3-2eb5875d5518f857","name":"libkrb5-3","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libkrb5-3:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5-3:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5_3:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5_3:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libkrb5-3@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2024-26458","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-26458","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.","cvss":[],"epss":[{"cve":"CVE-2024-26458","epss":0.0025,"percentile":0.48191,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26458","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0125},"relatedVulnerabilities":[{"id":"CVE-2024-26458","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-26458","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md","https://security.netapp.com/advisory/ntap-20240415-0010/"],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-26458","epss":0.0025,"percentile":0.48191,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26458","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-26458","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libkrb5support0-80b206ca5e07fd6c","name":"libkrb5support0","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libkrb5support0:libkrb5support0:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libkrb5support0@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2026-4948","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4948","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4948","epss":0.00023,"percentile":0.06243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4948","cwe":"CWE-279","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.012075},"relatedVulnerabilities":[{"id":"CVE-2026-4948","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4948","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4948","https://bugzilla.redhat.com/show_bug.cgi?id=2452086"],"description":"A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4948","epss":0.00023,"percentile":0.06243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4948","cwe":"CWE-279","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"firewalld","version":"2.3.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4948","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-firewalld-7bcb22024d147ed0","name":"firewalld","version":"2.3.1-1","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:firewalld:firewalld:2.3.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/firewalld@2.3.1-1?arch=all&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-4948","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4948","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4948","epss":0.00023,"percentile":0.06243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4948","cwe":"CWE-279","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.012075},"relatedVulnerabilities":[{"id":"CVE-2026-4948","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4948","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4948","https://bugzilla.redhat.com/show_bug.cgi?id=2452086"],"description":"A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4948","epss":0.00023,"percentile":0.06243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4948","cwe":"CWE-279","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"firewalld","version":"2.3.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4948","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3-firewall-8d812adaccdae06f","name":"python3-firewall","version":"2.3.1-1","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:python3-firewall:python3-firewall:2.3.1-1:*:*:*:*:*:*:*","cpe:2.3:a:python3-firewall:python3_firewall:2.3.1-1:*:*:*:*:*:*:*","cpe:2.3:a:python3_firewall:python3-firewall:2.3.1-1:*:*:*:*:*:*:*","cpe:2.3:a:python3_firewall:python3_firewall:2.3.1-1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3-firewall:2.3.1-1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3_firewall:2.3.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3-firewall@2.3.1-1?arch=all&distro=debian-13&upstream=firewalld","upstreams":[{"name":"firewalld"}]}},{"vulnerability":{"id":"CVE-2017-13716","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-13716","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.011850000000000001},"relatedVulnerabilities":[{"id":"CVE-2017-13716","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-13716","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=22009"],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.1,"exploitabilityScore":8.6,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-13716","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2017-13716","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-13716","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.011850000000000001},"relatedVulnerabilities":[{"id":"CVE-2017-13716","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-13716","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=22009"],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.1,"exploitabilityScore":8.6,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-13716","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2017-13716","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-13716","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.011850000000000001},"relatedVulnerabilities":[{"id":"CVE-2017-13716","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-13716","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=22009"],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.1,"exploitabilityScore":8.6,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-13716","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2017-13716","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-13716","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.011850000000000001},"relatedVulnerabilities":[{"id":"CVE-2017-13716","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-13716","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=22009"],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.1,"exploitabilityScore":8.6,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-13716","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2017-13716","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-13716","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.011850000000000001},"relatedVulnerabilities":[{"id":"CVE-2017-13716","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-13716","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=22009"],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.1,"exploitabilityScore":8.6,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-13716","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2017-13716","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-13716","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.011850000000000001},"relatedVulnerabilities":[{"id":"CVE-2017-13716","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-13716","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=22009"],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.1,"exploitabilityScore":8.6,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-13716","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2017-13716","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-13716","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.011850000000000001},"relatedVulnerabilities":[{"id":"CVE-2017-13716","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-13716","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=22009"],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.1,"exploitabilityScore":8.6,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-13716","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2017-13716","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-13716","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.011850000000000001},"relatedVulnerabilities":[{"id":"CVE-2017-13716","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-13716","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=22009"],"description":"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.1,"exploitabilityScore":8.6,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-13716","epss":0.00237,"percentile":0.46752,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-13716","cwe":"CWE-770","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-13716","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3783","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3783","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances.  If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3783","epss":0.00023,"percentile":0.06431,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3783","cwe":"CWE-522","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.011845000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-3783","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3783","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2026-3783.html","https://curl.se/docs/CVE-2026-3783.json","https://hackerone.com/reports/3583983","http://www.openwall.com/lists/oss-security/2026/03/11/2"],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a redirect to a second URL, curl could leak that token to the second\nhostname under some circumstances.\n\nIf the hostname that the first request is redirected to has information in the\nused .netrc file, with either of the `machine` or `default` keywords, curl\nwould pass on the bearer token set for the first host also to the second one.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3783","epss":0.00023,"percentile":0.06431,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3783","cwe":"CWE-522","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3783","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-3783","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3783","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances.  If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3783","epss":0.00023,"percentile":0.06431,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3783","cwe":"CWE-522","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.011845000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-3783","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3783","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2026-3783.html","https://curl.se/docs/CVE-2026-3783.json","https://hackerone.com/reports/3583983","http://www.openwall.com/lists/oss-security/2026/03/11/2"],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a redirect to a second URL, curl could leak that token to the second\nhostname under some circumstances.\n\nIf the hostname that the first request is redirected to has information in the\nused .netrc file, with either of the `machine` or `default` keywords, curl\nwould pass on the bearer token set for the first host also to the second one.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3783","epss":0.00023,"percentile":0.06431,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3783","cwe":"CWE-522","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3783","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-3783","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3783","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances.  If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3783","epss":0.00023,"percentile":0.06431,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3783","cwe":"CWE-522","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.011845000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-3783","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3783","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2026-3783.html","https://curl.se/docs/CVE-2026-3783.json","https://hackerone.com/reports/3583983","http://www.openwall.com/lists/oss-security/2026/03/11/2"],"description":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a redirect to a second URL, curl could leak that token to the second\nhostname under some circumstances.\n\nIf the hostname that the first request is redirected to has information in the\nused .netrc file, with either of the `machine` or `default` keywords, curl\nwould pass on the bearer token set for the first host also to the second one.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3783","epss":0.00023,"percentile":0.06431,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3783","cwe":"CWE-522","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3783","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-6732","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6732","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6732","epss":0.0002,"percentile":0.05403,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6732","cwe":"CWE-843","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0115},"relatedVulnerabilities":[{"id":"CVE-2026-6732","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6732","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6732","https://bugzilla.redhat.com/show_bug.cgi?id=2461300","https://gitlab.gnome.org/GNOME/libxml2/-/issues/1097","https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/411"],"description":"A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6732","epss":0.0002,"percentile":0.05403,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6732","cwe":"CWE-843","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6732","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libxml2-5856779bb2cc8107","name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2","type":"deb","locations":null,"language":"","licenses":["ISC AND LicenseRef-MIT-1"],"cpes":["cpe:2.3:a:libxml2:libxml2:2.12.7\\+dfsg\\+really2.9.14-2.1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-32735","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-32735","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.","cvss":[{"source":"secure@intel.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-32735","epss":0.00019,"percentile":0.05226,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-32735","cwe":"CWE-754","source":"secure@intel.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.01121},"relatedVulnerabilities":[{"id":"CVE-2025-32735","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-32735","namespace":"nvd:cpe","severity":"Medium","urls":["https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01403.html"],"description":"Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.","cvss":[{"source":"secure@intel.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.8},"vendorMetadata":{}},{"source":"secure@intel.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-32735","epss":0.00019,"percentile":0.05226,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-32735","cwe":"CWE-754","source":"secure@intel.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"firmware-nonfree","version":"1:20250410-2+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-32735","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-firmware-brcm80211-dfa9b2ef20b02723","name":"firmware-brcm80211","version":"1:20250410-2+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND LicenseRef-BSD-2-clause-Myricom AND LicenseRef-BSD-2-clause-OpenIB.org AND LicenseRef-BSD-3-clause-3Com AND LicenseRef-BSD-3-clause-Agere AND LicenseRef-BSD-3-clause-Ikanos AND LicenseRef-BSD-3-clause-Intel AND LicenseRef-BSD-3-clause-Qualcomm AND LicenseRef-BSD-4-clause-Kawasaki-LSI AND CC0-1.0 AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Synaptics AND LicenseRef-binary-redist-AMD-permissive AND LicenseRef-binary-redist-AMD-restrictive AND LicenseRef-binary-redist-AMD-restrictive-2 AND LicenseRef-binary-redist-Abilis AND LicenseRef-binary-redist-Airoha AND LicenseRef-binary-redist-Amlogic-vdec AND LicenseRef-binary-redist-Amphion AND LicenseRef-binary-redist-Arm-CSF AND LicenseRef-binary-redist-Atheros AND LicenseRef-binary-redist-Broadcom-wifi AND LicenseRef-binary-redist-Cadence AND LicenseRef-binary-redist-Cavium AND LicenseRef-binary-redist-Chelsio AND LicenseRef-binary-redist-Chips-Media AND LicenseRef-binary-redist-Cirrus AND LicenseRef-binary-redist-Comtrol AND LicenseRef-binary-redist-Conexant AND LicenseRef-binary-redist-Creative AND LicenseRef-binary-redist-Cypress AND LicenseRef-binary-redist-DiBcom AND LicenseRef-binary-redist-ENE AND LicenseRef-binary-redist-EULA-Hauppuage AND LicenseRef-binary-redist-EULA-Intel-Pro-Wireless AND LicenseRef-binary-redist-ITEtech AND LicenseRef-binary-redist-Imagination AND LicenseRef-binary-redist-Intel AND LicenseRef-binary-redist-Intel-1 AND LicenseRef-binary-redist-Intel-2 AND LicenseRef-binary-redist-Intel-3 AND LicenseRef-binary-redist-Intel-Ice-enhanced AND LicenseRef-binary-redist-Intel-narrower-patent AND LicenseRef-binary-redist-Lontium AND LicenseRef-binary-redist-MTS AND LicenseRef-binary-redist-Marvell AND LicenseRef-binary-redist-Marvell-OLPC AND LicenseRef-binary-redist-Matrox AND LicenseRef-binary-redist-MediaTek AND LicenseRef-binary-redist-Microchip AND LicenseRef-binary-redist-Micronas AND LicenseRef-binary-redist-Moxa AND LicenseRef-binary-redist-NXP-1 AND LicenseRef-binary-redist-NXP-2 AND LicenseRef-binary-redist-NXP-SDMA AND LicenseRef-binary-redist-NetLogic AND LicenseRef-binary-redist-Netronome AND LicenseRef-binary-redist-Nvidia AND LicenseRef-binary-redist-QLogic-1 AND LicenseRef-binary-redist-QLogic-2 AND LicenseRef-binary-redist-QLogic-3 AND LicenseRef-binary-redist-QLogic-4 AND LicenseRef-binary-redist-QLogic-BR-series AND LicenseRef-binary-redist-Qualcomm-Atheros AND LicenseRef-binary-redist-Qualcomm-media AND LicenseRef-binary-redist-Qualcomm-media-2 AND LicenseRef-binary-redist-Ralink AND LicenseRef-binary-redist-Realtek-permissive AND LicenseRef-binary-redist-Realtek-restrictive AND LicenseRef-binary-redist-Renesas AND LicenseRef-binary-redist-Rockchip AND LicenseRef-binary-redist-STMicro AND LicenseRef-binary-redist-Samsung AND LicenseRef-binary-redist-Sensoray AND LicenseRef-binary-redist-Siano AND LicenseRef-binary-redist-Silicon-Labs AND LicenseRef-binary-redist-Terratec AND LicenseRef-binary-redist-Texas-Instruments AND LicenseRef-binary-redist-Texas-Instruments-TSPA AND LicenseRef-binary-redist-VIA-vt6656 AND LicenseRef-binary-redist-Xceive AND LicenseRef-binary-redist-firmware AND LicenseRef-permissive-Advansys AND LicenseRef-permissive-BayCom"],"cpes":["cpe:2.3:a:firmware-brcm80211:firmware-brcm80211:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:firmware-brcm80211:firmware_brcm80211:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:firmware_brcm80211:firmware-brcm80211:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:firmware_brcm80211:firmware_brcm80211:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:firmware:firmware-brcm80211:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:firmware:firmware_brcm80211:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/firmware-brcm80211@1%3A20250410-2%2Brpt1?arch=all&distro=debian-13&upstream=firmware-nonfree","upstreams":[{"name":"firmware-nonfree"}]}},{"vulnerability":{"id":"CVE-2025-32735","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-32735","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.","cvss":[{"source":"secure@intel.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-32735","epss":0.00019,"percentile":0.05226,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-32735","cwe":"CWE-754","source":"secure@intel.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.01121},"relatedVulnerabilities":[{"id":"CVE-2025-32735","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-32735","namespace":"nvd:cpe","severity":"Medium","urls":["https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01403.html"],"description":"Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.","cvss":[{"source":"secure@intel.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.8},"vendorMetadata":{}},{"source":"secure@intel.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-32735","epss":0.00019,"percentile":0.05226,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-32735","cwe":"CWE-754","source":"secure@intel.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"firmware-nonfree","version":"1:20250410-2+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-32735","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-firmware-realtek-54c910167cbec406","name":"firmware-realtek","version":"1:20250410-2+rpt1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND LicenseRef-BSD-2-clause-Myricom AND LicenseRef-BSD-2-clause-OpenIB.org AND LicenseRef-BSD-3-clause-3Com AND LicenseRef-BSD-3-clause-Agere AND LicenseRef-BSD-3-clause-Ikanos AND LicenseRef-BSD-3-clause-Intel AND LicenseRef-BSD-3-clause-Qualcomm AND LicenseRef-BSD-4-clause-Kawasaki-LSI AND CC0-1.0 AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Synaptics AND LicenseRef-binary-redist-AMD-permissive AND LicenseRef-binary-redist-AMD-restrictive AND LicenseRef-binary-redist-AMD-restrictive-2 AND LicenseRef-binary-redist-Abilis AND LicenseRef-binary-redist-Airoha AND LicenseRef-binary-redist-Amlogic-vdec AND LicenseRef-binary-redist-Amphion AND LicenseRef-binary-redist-Arm-CSF AND LicenseRef-binary-redist-Atheros AND LicenseRef-binary-redist-Broadcom-wifi AND LicenseRef-binary-redist-Cadence AND LicenseRef-binary-redist-Cavium AND LicenseRef-binary-redist-Chelsio AND LicenseRef-binary-redist-Chips-Media AND LicenseRef-binary-redist-Cirrus AND LicenseRef-binary-redist-Comtrol AND LicenseRef-binary-redist-Conexant AND LicenseRef-binary-redist-Creative AND LicenseRef-binary-redist-Cypress AND LicenseRef-binary-redist-DiBcom AND LicenseRef-binary-redist-ENE AND LicenseRef-binary-redist-EULA-Hauppuage AND LicenseRef-binary-redist-EULA-Intel-Pro-Wireless AND LicenseRef-binary-redist-ITEtech AND LicenseRef-binary-redist-Imagination AND LicenseRef-binary-redist-Intel AND LicenseRef-binary-redist-Intel-1 AND LicenseRef-binary-redist-Intel-2 AND LicenseRef-binary-redist-Intel-3 AND LicenseRef-binary-redist-Intel-Ice-enhanced AND LicenseRef-binary-redist-Intel-narrower-patent AND LicenseRef-binary-redist-Lontium AND LicenseRef-binary-redist-MTS AND LicenseRef-binary-redist-Marvell AND LicenseRef-binary-redist-Marvell-OLPC AND LicenseRef-binary-redist-Matrox AND LicenseRef-binary-redist-MediaTek AND LicenseRef-binary-redist-Microchip AND LicenseRef-binary-redist-Micronas AND LicenseRef-binary-redist-Moxa AND LicenseRef-binary-redist-NXP-1 AND LicenseRef-binary-redist-NXP-2 AND LicenseRef-binary-redist-NXP-SDMA AND LicenseRef-binary-redist-NetLogic AND LicenseRef-binary-redist-Netronome AND LicenseRef-binary-redist-Nvidia AND LicenseRef-binary-redist-QLogic-1 AND LicenseRef-binary-redist-QLogic-2 AND LicenseRef-binary-redist-QLogic-3 AND LicenseRef-binary-redist-QLogic-4 AND LicenseRef-binary-redist-QLogic-BR-series AND LicenseRef-binary-redist-Qualcomm-Atheros AND LicenseRef-binary-redist-Qualcomm-media AND LicenseRef-binary-redist-Qualcomm-media-2 AND LicenseRef-binary-redist-Ralink AND LicenseRef-binary-redist-Realtek-permissive AND LicenseRef-binary-redist-Realtek-restrictive AND LicenseRef-binary-redist-Renesas AND LicenseRef-binary-redist-Rockchip AND LicenseRef-binary-redist-STMicro AND LicenseRef-binary-redist-Samsung AND LicenseRef-binary-redist-Sensoray AND LicenseRef-binary-redist-Siano AND LicenseRef-binary-redist-Silicon-Labs AND LicenseRef-binary-redist-Terratec AND LicenseRef-binary-redist-Texas-Instruments AND LicenseRef-binary-redist-Texas-Instruments-TSPA AND LicenseRef-binary-redist-VIA-vt6656 AND LicenseRef-binary-redist-Xceive AND LicenseRef-binary-redist-firmware AND LicenseRef-permissive-Advansys AND LicenseRef-permissive-BayCom"],"cpes":["cpe:2.3:a:firmware-realtek:firmware-realtek:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:firmware-realtek:firmware_realtek:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:firmware_realtek:firmware-realtek:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:firmware_realtek:firmware_realtek:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:firmware:firmware-realtek:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:firmware:firmware_realtek:1\\:20250410-2\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/firmware-realtek@1%3A20250410-2%2Brpt1?arch=all&distro=debian-13&upstream=firmware-nonfree","upstreams":[{"name":"firmware-nonfree"}]}},{"vulnerability":{"id":"CVE-2026-35177","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35177","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35177","epss":0.00015,"percentile":0.03177,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35177","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01095},"relatedVulnerabilities":[{"id":"CVE-2026-35177","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35177","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24"],"description":"Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35177","epss":0.00015,"percentile":0.03177,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35177","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35177","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-35177","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35177","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35177","epss":0.00015,"percentile":0.03177,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35177","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01095},"relatedVulnerabilities":[{"id":"CVE-2026-35177","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35177","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24"],"description":"Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35177","epss":0.00015,"percentile":0.03177,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35177","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35177","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-35177","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35177","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35177","epss":0.00015,"percentile":0.03177,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35177","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01095},"relatedVulnerabilities":[{"id":"CVE-2026-35177","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35177","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24"],"description":"Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L","metrics":{"baseScore":4.1,"exploitabilityScore":1.1,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35177","epss":0.00015,"percentile":0.03177,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35177","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35177","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2020-15719","dataSource":"https://security-tracker.debian.org/tracker/CVE-2020-15719","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.","cvss":[],"epss":[{"cve":"CVE-2020-15719","epss":0.00216,"percentile":0.43921,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-15719","cwe":"CWE-295","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0108},"relatedVulnerabilities":[{"id":"CVE-2020-15719","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2020-15719","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html","http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html","https://access.redhat.com/errata/RHBA-2019:3674","https://bugs.openldap.org/show_bug.cgi?id=9266","https://bugzilla.redhat.com/show_bug.cgi?id=1740070","https://kc.mcafee.com/corporate/index?page=content&id=SB10365","https://www.oracle.com/security-alerts/cpuapr2022.html"],"description":"libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:N","metrics":{"baseScore":4,"exploitabilityScore":5,"impactScore":5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-15719","epss":0.00216,"percentile":0.43921,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-15719","cwe":"CWE-295","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openldap","version":"2.6.10+dfsg-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2020-15719","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libldap-common-0c527d3d89610a10","name":"libldap-common","version":"2.6.10+dfsg-1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-BSD-3-clause-California AND LicenseRef-BSD-3-clause-variant AND LicenseRef-BSD-4-clause-California AND Beerware AND LicenseRef-Expat AND LicenseRef-Expat-ISC AND LicenseRef-Expat-UNM AND LicenseRef-F5 AND LicenseRef-FSF-unlimited AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-JCG AND LicenseRef-MIT-XC AND LicenseRef-NeoSoft-permissive AND LicenseRef-OpenLDAP-2.8 AND LicenseRef-UMich AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libldap-common:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap-common:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap_common:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap_common:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libldap-common@2.6.10%2Bdfsg-1?arch=all&distro=debian-13&upstream=openldap","upstreams":[{"name":"openldap"}]}},{"vulnerability":{"id":"CVE-2020-15719","dataSource":"https://security-tracker.debian.org/tracker/CVE-2020-15719","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.","cvss":[],"epss":[{"cve":"CVE-2020-15719","epss":0.00216,"percentile":0.43921,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-15719","cwe":"CWE-295","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0108},"relatedVulnerabilities":[{"id":"CVE-2020-15719","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2020-15719","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html","http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html","https://access.redhat.com/errata/RHBA-2019:3674","https://bugs.openldap.org/show_bug.cgi?id=9266","https://bugzilla.redhat.com/show_bug.cgi?id=1740070","https://kc.mcafee.com/corporate/index?page=content&id=SB10365","https://www.oracle.com/security-alerts/cpuapr2022.html"],"description":"libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:N","metrics":{"baseScore":4,"exploitabilityScore":5,"impactScore":5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-15719","epss":0.00216,"percentile":0.43921,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2020-15719","cwe":"CWE-295","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openldap","version":"2.6.10+dfsg-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2020-15719","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libldap2-c8352a83e37f53d5","name":"libldap2","version":"2.6.10+dfsg-1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-BSD-3-clause-California AND LicenseRef-BSD-3-clause-variant AND LicenseRef-BSD-4-clause-California AND Beerware AND LicenseRef-Expat AND LicenseRef-Expat-ISC AND LicenseRef-Expat-UNM AND LicenseRef-F5 AND LicenseRef-FSF-unlimited AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-JCG AND LicenseRef-MIT-XC AND LicenseRef-NeoSoft-permissive AND LicenseRef-OpenLDAP-2.8 AND LicenseRef-UMich AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libldap2:libldap2:2.6.10\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libldap2@2.6.10%2Bdfsg-1?arch=arm64&distro=debian-13&upstream=openldap","upstreams":[{"name":"openldap"}]}},{"vulnerability":{"id":"CVE-2025-1176","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1176","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01065},"relatedVulnerabilities":[{"id":"CVE-2025-1176","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1176","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15913","https://sourceware.org/bugzilla/show_bug.cgi?id=32636","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f9978defb6fab0bd8583942d97c112b0932ac814","https://vuldb.com/?ctiid.295079","https://vuldb.com/?id.295079","https://vuldb.com/?submit.495329","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0007/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1176","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1176","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1176","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01065},"relatedVulnerabilities":[{"id":"CVE-2025-1176","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1176","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15913","https://sourceware.org/bugzilla/show_bug.cgi?id=32636","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f9978defb6fab0bd8583942d97c112b0932ac814","https://vuldb.com/?ctiid.295079","https://vuldb.com/?id.295079","https://vuldb.com/?submit.495329","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0007/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1176","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1176","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1176","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01065},"relatedVulnerabilities":[{"id":"CVE-2025-1176","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1176","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15913","https://sourceware.org/bugzilla/show_bug.cgi?id=32636","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f9978defb6fab0bd8583942d97c112b0932ac814","https://vuldb.com/?ctiid.295079","https://vuldb.com/?id.295079","https://vuldb.com/?submit.495329","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0007/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1176","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1176","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1176","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01065},"relatedVulnerabilities":[{"id":"CVE-2025-1176","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1176","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15913","https://sourceware.org/bugzilla/show_bug.cgi?id=32636","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f9978defb6fab0bd8583942d97c112b0932ac814","https://vuldb.com/?ctiid.295079","https://vuldb.com/?id.295079","https://vuldb.com/?submit.495329","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0007/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1176","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1176","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1176","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01065},"relatedVulnerabilities":[{"id":"CVE-2025-1176","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1176","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15913","https://sourceware.org/bugzilla/show_bug.cgi?id=32636","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f9978defb6fab0bd8583942d97c112b0932ac814","https://vuldb.com/?ctiid.295079","https://vuldb.com/?id.295079","https://vuldb.com/?submit.495329","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0007/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1176","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1176","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1176","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01065},"relatedVulnerabilities":[{"id":"CVE-2025-1176","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1176","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15913","https://sourceware.org/bugzilla/show_bug.cgi?id=32636","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f9978defb6fab0bd8583942d97c112b0932ac814","https://vuldb.com/?ctiid.295079","https://vuldb.com/?id.295079","https://vuldb.com/?submit.495329","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0007/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1176","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1176","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1176","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01065},"relatedVulnerabilities":[{"id":"CVE-2025-1176","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1176","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15913","https://sourceware.org/bugzilla/show_bug.cgi?id=32636","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f9978defb6fab0bd8583942d97c112b0932ac814","https://vuldb.com/?ctiid.295079","https://vuldb.com/?id.295079","https://vuldb.com/?submit.495329","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0007/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1176","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1176","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1176","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01065},"relatedVulnerabilities":[{"id":"CVE-2025-1176","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1176","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15913","https://sourceware.org/bugzilla/show_bug.cgi?id=32636","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f9978defb6fab0bd8583942d97c112b0932ac814","https://vuldb.com/?ctiid.295079","https://vuldb.com/?id.295079","https://vuldb.com/?submit.495329","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0007/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1176","epss":0.00213,"percentile":0.43691,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1176","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1176","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1176","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-29111","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-29111","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0105},"relatedVulnerabilities":[{"id":"CVE-2026-29111","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29111","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a","https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6","https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412","https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd","https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f","https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f","https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69","https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6","https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c","https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8","https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-29111","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss-systemd-ad7265eadb35cc00","name":"libnss-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss-systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss-systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-29111","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-29111","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0105},"relatedVulnerabilities":[{"id":"CVE-2026-29111","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29111","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a","https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6","https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412","https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd","https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f","https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f","https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69","https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6","https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c","https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8","https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-29111","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpam-systemd-022f917bdf524182","name":"libpam-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libpam-systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam-systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpam-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-29111","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-29111","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0105},"relatedVulnerabilities":[{"id":"CVE-2026-29111","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29111","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a","https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6","https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412","https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd","https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f","https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f","https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69","https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6","https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c","https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8","https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-29111","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd-shared-b1ad66cbf61a8db5","name":"libsystemd-shared","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd-shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd-shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd-shared@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-29111","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-29111","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0105},"relatedVulnerabilities":[{"id":"CVE-2026-29111","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29111","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a","https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6","https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412","https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd","https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f","https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f","https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69","https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6","https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c","https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8","https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-29111","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd0-2ebc906354bc0592","name":"libsystemd0","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd0:libsystemd0:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-29111","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-29111","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0105},"relatedVulnerabilities":[{"id":"CVE-2026-29111","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29111","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a","https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6","https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412","https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd","https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f","https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f","https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69","https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6","https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c","https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8","https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-29111","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libudev1-c6f7af268569b00a","name":"libudev1","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libudev1:libudev1:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-29111","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-29111","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0105},"relatedVulnerabilities":[{"id":"CVE-2026-29111","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29111","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a","https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6","https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412","https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd","https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f","https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f","https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69","https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6","https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c","https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8","https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-29111","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-f903f3f27e740730","name":"systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd:systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-29111","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-29111","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0105},"relatedVulnerabilities":[{"id":"CVE-2026-29111","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29111","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a","https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6","https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412","https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd","https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f","https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f","https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69","https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6","https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c","https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8","https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-29111","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-cryptsetup-a05233fe9c9714fd","name":"systemd-cryptsetup","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-cryptsetup@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-29111","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-29111","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0105},"relatedVulnerabilities":[{"id":"CVE-2026-29111","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29111","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a","https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6","https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412","https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd","https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f","https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f","https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69","https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6","https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c","https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8","https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-29111","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-sysv-10669ba5f85c6427","name":"systemd-sysv","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-sysv@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-29111","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-29111","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0105},"relatedVulnerabilities":[{"id":"CVE-2026-29111","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29111","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a","https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6","https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412","https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd","https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f","https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f","https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69","https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6","https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c","https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8","https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-29111","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-timesyncd-6b431489698ee740","name":"systemd-timesyncd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-timesyncd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-29111","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-29111","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0105},"relatedVulnerabilities":[{"id":"CVE-2026-29111","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29111","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a","https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6","https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412","https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd","https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f","https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f","https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69","https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6","https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c","https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8","https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"],"description":"systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29111","epss":0.0002,"percentile":0.05548,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-29111","cwe":"CWE-269","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-29111","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-udev-b6036c3d10c9d62b","name":"udev","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:udev:udev:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/udev@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2011-4116","dataSource":"https://security-tracker.debian.org/tracker/CVE-2011-4116","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"_is_safe in the File::Temp module for Perl does not properly handle symlinks.","cvss":[],"epss":[{"cve":"CVE-2011-4116","epss":0.002,"percentile":0.41871,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-4116","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01},"relatedVulnerabilities":[{"id":"CVE-2011-4116","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2011-4116","namespace":"nvd:cpe","severity":"Low","urls":["http://www.openwall.com/lists/oss-security/2011/11/04/2","http://www.openwall.com/lists/oss-security/2011/11/04/4","https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14","https://rt.cpan.org/Public/Bug/Display.html?id=69106","https://seclists.org/oss-sec/2011/q4/238"],"description":"_is_safe in the File::Temp module for Perl does not properly handle symlinks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:S/C:N/I:P/A:N","metrics":{"baseScore":1.5,"exploitabilityScore":2.7,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2011-4116","epss":0.002,"percentile":0.41871,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-4116","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"perl","version":"5.40.1-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2011-4116","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libperl5.40-b4e00d690ca158ce","name":"libperl5.40","version":"5.40.1-6","type":"deb","locations":null,"language":"","licenses":["Artistic AND Artistic-2.0 AND Artistic-dist AND BSD-3-Clause AND LicenseRef-BSD-3-clause-GENERIC AND LicenseRef-BSD-3-clause-with-weird-numbering AND LicenseRef-BSD-4-clause-POWERDOG AND LicenseRef-BZIP AND LicenseRef-DONT-CHANGE-THE-GPL AND LicenseRef-Expat AND FSFAP AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-3--WITH-BISON-EXCEPTION AND LGPL-2.1-only AND LicenseRef-REGCOMP AND LicenseRef-REGCOMP- AND LicenseRef-SDBM-PUBLIC-DOMAIN AND LicenseRef-TEXT-TABS AND LicenseRef-Unicode AND Zlib"],"cpes":["cpe:2.3:a:libperl5.40:libperl5.40:5.40.1-6:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libperl5.40@5.40.1-6?arch=arm64&distro=debian-13&upstream=perl","upstreams":[{"name":"perl"}]}},{"vulnerability":{"id":"CVE-2011-4116","dataSource":"https://security-tracker.debian.org/tracker/CVE-2011-4116","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"_is_safe in the File::Temp module for Perl does not properly handle symlinks.","cvss":[],"epss":[{"cve":"CVE-2011-4116","epss":0.002,"percentile":0.41871,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-4116","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01},"relatedVulnerabilities":[{"id":"CVE-2011-4116","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2011-4116","namespace":"nvd:cpe","severity":"Low","urls":["http://www.openwall.com/lists/oss-security/2011/11/04/2","http://www.openwall.com/lists/oss-security/2011/11/04/4","https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14","https://rt.cpan.org/Public/Bug/Display.html?id=69106","https://seclists.org/oss-sec/2011/q4/238"],"description":"_is_safe in the File::Temp module for Perl does not properly handle symlinks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:S/C:N/I:P/A:N","metrics":{"baseScore":1.5,"exploitabilityScore":2.7,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2011-4116","epss":0.002,"percentile":0.41871,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-4116","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"perl","version":"5.40.1-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2011-4116","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-perl-954e397c66034b0f","name":"perl","version":"5.40.1-6","type":"deb","locations":null,"language":"","licenses":["Artistic AND Artistic-2.0 AND Artistic-dist AND BSD-3-Clause AND LicenseRef-BSD-3-clause-GENERIC AND LicenseRef-BSD-3-clause-with-weird-numbering AND LicenseRef-BSD-4-clause-POWERDOG AND LicenseRef-BZIP AND LicenseRef-DONT-CHANGE-THE-GPL AND LicenseRef-Expat AND FSFAP AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-3--WITH-BISON-EXCEPTION AND LGPL-2.1-only AND LicenseRef-REGCOMP AND LicenseRef-REGCOMP- AND LicenseRef-SDBM-PUBLIC-DOMAIN AND LicenseRef-TEXT-TABS AND LicenseRef-Unicode AND Zlib"],"cpes":["cpe:2.3:a:perl:perl:5.40.1-6:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/perl@5.40.1-6?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2011-4116","dataSource":"https://security-tracker.debian.org/tracker/CVE-2011-4116","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"_is_safe in the File::Temp module for Perl does not properly handle symlinks.","cvss":[],"epss":[{"cve":"CVE-2011-4116","epss":0.002,"percentile":0.41871,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-4116","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01},"relatedVulnerabilities":[{"id":"CVE-2011-4116","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2011-4116","namespace":"nvd:cpe","severity":"Low","urls":["http://www.openwall.com/lists/oss-security/2011/11/04/2","http://www.openwall.com/lists/oss-security/2011/11/04/4","https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14","https://rt.cpan.org/Public/Bug/Display.html?id=69106","https://seclists.org/oss-sec/2011/q4/238"],"description":"_is_safe in the File::Temp module for Perl does not properly handle symlinks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:S/C:N/I:P/A:N","metrics":{"baseScore":1.5,"exploitabilityScore":2.7,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2011-4116","epss":0.002,"percentile":0.41871,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-4116","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"perl","version":"5.40.1-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2011-4116","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-perl-base-77e71f7070ad7c59","name":"perl-base","version":"5.40.1-6","type":"deb","locations":null,"language":"","licenses":["Artistic AND Artistic-2.0 AND Artistic-dist AND BSD-3-Clause AND LicenseRef-BSD-3-clause-GENERIC AND LicenseRef-BSD-3-clause-with-weird-numbering AND LicenseRef-BSD-4-clause-POWERDOG AND LicenseRef-BZIP AND LicenseRef-DONT-CHANGE-THE-GPL AND LicenseRef-Expat AND FSFAP AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-3--WITH-BISON-EXCEPTION AND LGPL-2.1-only AND LicenseRef-REGCOMP AND LicenseRef-REGCOMP- AND LicenseRef-SDBM-PUBLIC-DOMAIN AND LicenseRef-TEXT-TABS AND LicenseRef-Unicode AND Zlib"],"cpes":["cpe:2.3:a:perl-base:perl-base:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl-base:perl_base:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl_base:perl-base:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl_base:perl_base:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl:perl-base:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl:perl_base:5.40.1-6:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/perl-base@5.40.1-6?arch=arm64&distro=debian-13&upstream=perl","upstreams":[{"name":"perl"}]}},{"vulnerability":{"id":"CVE-2011-4116","dataSource":"https://security-tracker.debian.org/tracker/CVE-2011-4116","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"_is_safe in the File::Temp module for Perl does not properly handle symlinks.","cvss":[],"epss":[{"cve":"CVE-2011-4116","epss":0.002,"percentile":0.41871,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-4116","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.01},"relatedVulnerabilities":[{"id":"CVE-2011-4116","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2011-4116","namespace":"nvd:cpe","severity":"Low","urls":["http://www.openwall.com/lists/oss-security/2011/11/04/2","http://www.openwall.com/lists/oss-security/2011/11/04/4","https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14","https://rt.cpan.org/Public/Bug/Display.html?id=69106","https://seclists.org/oss-sec/2011/q4/238"],"description":"_is_safe in the File::Temp module for Perl does not properly handle symlinks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:S/C:N/I:P/A:N","metrics":{"baseScore":1.5,"exploitabilityScore":2.7,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2011-4116","epss":0.002,"percentile":0.41871,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2011-4116","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"perl","version":"5.40.1-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2011-4116","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-perl-modules-5.40-2ddb516994b4c1cb","name":"perl-modules-5.40","version":"5.40.1-6","type":"deb","locations":null,"language":"","licenses":["Artistic AND Artistic-2.0 AND Artistic-dist AND BSD-3-Clause AND LicenseRef-BSD-3-clause-GENERIC AND LicenseRef-BSD-3-clause-with-weird-numbering AND LicenseRef-BSD-4-clause-POWERDOG AND LicenseRef-BZIP AND LicenseRef-DONT-CHANGE-THE-GPL AND LicenseRef-Expat AND FSFAP AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-3--WITH-BISON-EXCEPTION AND LGPL-2.1-only AND LicenseRef-REGCOMP AND LicenseRef-REGCOMP- AND LicenseRef-SDBM-PUBLIC-DOMAIN AND LicenseRef-TEXT-TABS AND LicenseRef-Unicode AND Zlib"],"cpes":["cpe:2.3:a:perl-modules-5.40:perl-modules-5.40:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl-modules-5.40:perl_modules_5.40:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl_modules_5.40:perl-modules-5.40:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl_modules_5.40:perl_modules_5.40:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl-modules:perl-modules-5.40:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl-modules:perl_modules_5.40:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl_modules:perl-modules-5.40:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl_modules:perl_modules_5.40:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl:perl-modules-5.40:5.40.1-6:*:*:*:*:*:*:*","cpe:2.3:a:perl:perl_modules_5.40:5.40.1-6:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/perl-modules-5.40@5.40.1-6?arch=all&distro=debian-13&upstream=perl","upstreams":[{"name":"perl"}]}},{"vulnerability":{"id":"CVE-2026-34933","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34933","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34933","epss":0.00019,"percentile":0.05169,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34933","cwe":"CWE-617","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009975000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-34933","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34933","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/625ca0fac19229f6dfa3a6c6b698ae657187e50c","https://github.com/avahi/avahi/pull/891","https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc","http://www.openwall.com/lists/oss-security/2026/04/11/9"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34933","epss":0.00019,"percentile":0.05169,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34933","cwe":"CWE-617","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34933","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-avahi-daemon-d209761e50802ac7","name":"avahi-daemon","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:avahi-daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi-daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi_daemon:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/avahi-daemon@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-34933","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34933","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34933","epss":0.00019,"percentile":0.05169,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34933","cwe":"CWE-617","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009975000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-34933","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34933","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/625ca0fac19229f6dfa3a6c6b698ae657187e50c","https://github.com/avahi/avahi/pull/891","https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc","http://www.openwall.com/lists/oss-security/2026/04/11/9"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34933","epss":0.00019,"percentile":0.05169,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34933","cwe":"CWE-617","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34933","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common-data-5cdf5a55d2d34a04","name":"libavahi-common-data","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common-data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common-data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common_data:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common-data@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-34933","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34933","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34933","epss":0.00019,"percentile":0.05169,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34933","cwe":"CWE-617","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009975000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-34933","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34933","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/625ca0fac19229f6dfa3a6c6b698ae657187e50c","https://github.com/avahi/avahi/pull/891","https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc","http://www.openwall.com/lists/oss-security/2026/04/11/9"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34933","epss":0.00019,"percentile":0.05169,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34933","cwe":"CWE-617","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34933","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common3-a28bb129f3d19912","name":"libavahi-common3","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common3:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common3@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-34933","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34933","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34933","epss":0.00019,"percentile":0.05169,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34933","cwe":"CWE-617","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009975000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-34933","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34933","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/625ca0fac19229f6dfa3a6c6b698ae657187e50c","https://github.com/avahi/avahi/pull/891","https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc","http://www.openwall.com/lists/oss-security/2026/04/11/9"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34933","epss":0.00019,"percentile":0.05169,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34933","cwe":"CWE-617","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34933","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-core7-af273c4b4622548b","name":"libavahi-core7","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_core7:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-core7@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-6843","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6843","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This results in a Denial of Service (DoS) for the `nano` application.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6843","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6843","cwe":"CWE-134","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009975000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6843","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6843","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6843","https://bugzilla.redhat.com/show_bug.cgi?id=2460017"],"description":"A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This results in a Denial of Service (DoS) for the `nano` application.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6843","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6843","cwe":"CWE-134","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"nano","version":"8.4-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6843","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-nano-0906c22c973e82bb","name":"nano","version":"8.4-1","type":"deb","locations":null,"language":"","licenses":["GFDL-1.2-only AND LicenseRef-GFDL-NIV- AND GPL-3.0-only AND GPL-3.0-or-later"],"cpes":["cpe:2.3:a:nano:nano:8.4-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/nano@8.4-1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-68471","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68471","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68471","epss":0.00017,"percentile":0.04164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68471","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009775},"relatedVulnerabilities":[{"id":"CVE-2025-68471","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68471","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1","https://github.com/avahi/avahi/issues/678","https://github.com/avahi/avahi/security/advisories/GHSA-56rf-42xr-qmmg"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68471","epss":0.00017,"percentile":0.04164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68471","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68471","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-avahi-daemon-d209761e50802ac7","name":"avahi-daemon","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:avahi-daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi-daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi_daemon:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/avahi-daemon@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-68471","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68471","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68471","epss":0.00017,"percentile":0.04164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68471","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009775},"relatedVulnerabilities":[{"id":"CVE-2025-68471","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68471","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1","https://github.com/avahi/avahi/issues/678","https://github.com/avahi/avahi/security/advisories/GHSA-56rf-42xr-qmmg"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68471","epss":0.00017,"percentile":0.04164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68471","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68471","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common-data-5cdf5a55d2d34a04","name":"libavahi-common-data","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common-data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common-data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common_data:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common-data@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-68471","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68471","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68471","epss":0.00017,"percentile":0.04164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68471","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009775},"relatedVulnerabilities":[{"id":"CVE-2025-68471","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68471","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1","https://github.com/avahi/avahi/issues/678","https://github.com/avahi/avahi/security/advisories/GHSA-56rf-42xr-qmmg"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68471","epss":0.00017,"percentile":0.04164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68471","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68471","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common3-a28bb129f3d19912","name":"libavahi-common3","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common3:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common3@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-68471","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68471","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68471","epss":0.00017,"percentile":0.04164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68471","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009775},"relatedVulnerabilities":[{"id":"CVE-2025-68471","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68471","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1","https://github.com/avahi/avahi/issues/678","https://github.com/avahi/avahi/security/advisories/GHSA-56rf-42xr-qmmg"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68471","epss":0.00017,"percentile":0.04164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68471","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68471","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-core7-af273c4b4622548b","name":"libavahi-core7","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_core7:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-core7@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-2297","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-2297","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2297","epss":0.00018,"percentile":0.04728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2297","cwe":"CWE-668","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009630000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-2297","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-2297","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e","https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e","https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86","https://github.com/python/cpython/issues/145506","https://github.com/python/cpython/pull/145507","http://www.openwall.com/lists/oss-security/2026/03/05/6"],"description":"The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2297","epss":0.00018,"percentile":0.04728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2297","cwe":"CWE-668","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-2297","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-2297","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-2297","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2297","epss":0.00018,"percentile":0.04728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2297","cwe":"CWE-668","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009630000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-2297","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-2297","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e","https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e","https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86","https://github.com/python/cpython/issues/145506","https://github.com/python/cpython/pull/145507","http://www.openwall.com/lists/oss-security/2026/03/05/6"],"description":"The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2297","epss":0.00018,"percentile":0.04728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2297","cwe":"CWE-668","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-2297","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-2297","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-2297","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2297","epss":0.00018,"percentile":0.04728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2297","cwe":"CWE-668","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009630000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-2297","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-2297","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e","https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e","https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86","https://github.com/python/cpython/issues/145506","https://github.com/python/cpython/pull/145507","http://www.openwall.com/lists/oss-security/2026/03/05/6"],"description":"The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2297","epss":0.00018,"percentile":0.04728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2297","cwe":"CWE-668","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-2297","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-2297","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-2297","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2297","epss":0.00018,"percentile":0.04728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2297","cwe":"CWE-668","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009630000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-2297","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-2297","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e","https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e","https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86","https://github.com/python/cpython/issues/145506","https://github.com/python/cpython/pull/145507","http://www.openwall.com/lists/oss-security/2026/03/05/6"],"description":"The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2297","epss":0.00018,"percentile":0.04728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-2297","cwe":"CWE-668","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-2297","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2007-2768","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-2768","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.","cvss":[],"epss":[{"cve":"CVE-2007-2768","epss":0.00189,"percentile":0.40498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2768","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00945},"relatedVulnerabilities":[{"id":"CVE-2007-2768","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-2768","namespace":"nvd:cpe","severity":"Medium","urls":["http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html","http://www.osvdb.org/34601","https://security.netapp.com/advisory/ntap-20191107-0002/"],"description":"OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-2768","epss":0.00189,"percentile":0.40498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2768","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-2768","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2007-2768","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-2768","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.","cvss":[],"epss":[{"cve":"CVE-2007-2768","epss":0.00189,"percentile":0.40498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2768","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00945},"relatedVulnerabilities":[{"id":"CVE-2007-2768","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-2768","namespace":"nvd:cpe","severity":"Medium","urls":["http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html","http://www.osvdb.org/34601","https://security.netapp.com/advisory/ntap-20191107-0002/"],"description":"OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-2768","epss":0.00189,"percentile":0.40498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2768","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-2768","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2007-2768","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-2768","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.","cvss":[],"epss":[{"cve":"CVE-2007-2768","epss":0.00189,"percentile":0.40498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2768","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00945},"relatedVulnerabilities":[{"id":"CVE-2007-2768","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-2768","namespace":"nvd:cpe","severity":"Medium","urls":["http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html","http://www.osvdb.org/34601","https://security.netapp.com/advisory/ntap-20191107-0002/"],"description":"OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-2768","epss":0.00189,"percentile":0.40498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-2768","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-2768","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-1489","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1489","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1489","epss":0.00018,"percentile":0.04894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1489","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009360000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-1489","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1489","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-1489","https://bugzilla.redhat.com/show_bug.cgi?id=2433348","https://gitlab.gnome.org/GNOME/glib/-/issues/3872"],"description":"A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1489","epss":0.00018,"percentile":0.04894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1489","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1489","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gir1.2-glib-2.0-e0776636faa7c9e3","name":"gir1.2-glib-2.0","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:gir1.2-glib-2.0:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib-2.0:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib_2.0:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib_2.0:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gir1.2-glib-2.0@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-1489","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1489","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1489","epss":0.00018,"percentile":0.04894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1489","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009360000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-1489","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1489","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-1489","https://bugzilla.redhat.com/show_bug.cgi?id=2433348","https://gitlab.gnome.org/GNOME/glib/-/issues/3872"],"description":"A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1489","epss":0.00018,"percentile":0.04894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1489","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1489","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-0t64-eefae290723bdc16","name":"libglib2.0-0t64","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-0t64:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-0t64:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_0t64:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_0t64:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-1489","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1489","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1489","epss":0.00018,"percentile":0.04894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1489","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009360000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-1489","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1489","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-1489","https://bugzilla.redhat.com/show_bug.cgi?id=2433348","https://gitlab.gnome.org/GNOME/glib/-/issues/3872"],"description":"A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1489","epss":0.00018,"percentile":0.04894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1489","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1489","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-bin-cfa6976752b86f25","name":"libglib2.0-bin","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-bin:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-bin:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_bin:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_bin:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-bin@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-1489","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1489","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1489","epss":0.00018,"percentile":0.04894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1489","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.009360000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-1489","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1489","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-1489","https://bugzilla.redhat.com/show_bug.cgi?id=2433348","https://gitlab.gnome.org/GNOME/glib/-/issues/3872"],"description":"A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1489","epss":0.00018,"percentile":0.04894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1489","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1489","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-data-bbd4ccdf8b009a02","name":"libglib2.0-data","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-data:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-data:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_data:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_data:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-data@2.84.4-3~deb13u2?arch=all&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2025-12781","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-12781","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.     This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.     The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64  alphabet they are expecting or verify that their application would not be  affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12781","epss":0.00018,"percentile":0.04898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12781","cwe":"CWE-704","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00927},"relatedVulnerabilities":[{"id":"CVE-2025-12781","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-12781","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b","https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947","https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5","https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76","https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5","https://github.com/python/cpython/issues/125346","https://github.com/python/cpython/pull/141128","https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/"],"description":"When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.\n\n\n\n\nThis behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.\n\n\n\n\nThe attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 \nalphabet they are expecting or verify that their application would not be \naffected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12781","epss":0.00018,"percentile":0.04898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12781","cwe":"CWE-704","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-12781","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-12781","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-12781","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.     This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.     The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64  alphabet they are expecting or verify that their application would not be  affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12781","epss":0.00018,"percentile":0.04898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12781","cwe":"CWE-704","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00927},"relatedVulnerabilities":[{"id":"CVE-2025-12781","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-12781","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b","https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947","https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5","https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76","https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5","https://github.com/python/cpython/issues/125346","https://github.com/python/cpython/pull/141128","https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/"],"description":"When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.\n\n\n\n\nThis behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.\n\n\n\n\nThe attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 \nalphabet they are expecting or verify that their application would not be \naffected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12781","epss":0.00018,"percentile":0.04898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12781","cwe":"CWE-704","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-12781","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-12781","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-12781","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.     This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.     The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64  alphabet they are expecting or verify that their application would not be  affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12781","epss":0.00018,"percentile":0.04898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12781","cwe":"CWE-704","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00927},"relatedVulnerabilities":[{"id":"CVE-2025-12781","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-12781","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b","https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947","https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5","https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76","https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5","https://github.com/python/cpython/issues/125346","https://github.com/python/cpython/pull/141128","https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/"],"description":"When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.\n\n\n\n\nThis behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.\n\n\n\n\nThe attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 \nalphabet they are expecting or verify that their application would not be \naffected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12781","epss":0.00018,"percentile":0.04898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12781","cwe":"CWE-704","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-12781","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-12781","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-12781","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.     This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.     The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64  alphabet they are expecting or verify that their application would not be  affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12781","epss":0.00018,"percentile":0.04898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12781","cwe":"CWE-704","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00927},"relatedVulnerabilities":[{"id":"CVE-2025-12781","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-12781","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b","https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947","https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5","https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76","https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5","https://github.com/python/cpython/issues/125346","https://github.com/python/cpython/pull/141128","https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/"],"description":"When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.\n\n\n\n\nThis behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.\n\n\n\n\nThe attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 \nalphabet they are expecting or verify that their application would not be \naffected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-12781","epss":0.00018,"percentile":0.04898,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-12781","cwe":"CWE-704","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-12781","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-28417","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28417","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28417","epss":0.00012,"percentile":0.01896,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28417","cwe":"CWE-86","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28417","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00918},"relatedVulnerabilities":[{"id":"CVE-2026-28417","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28417","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/79348dbbc09332130f4c860","https://github.com/vim/vim/releases/tag/v9.2.0073","https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336","http://www.openwall.com/lists/oss-security/2026/02/27/6"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28417","epss":0.00012,"percentile":0.01896,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28417","cwe":"CWE-86","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28417","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28417","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28417","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28417","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28417","epss":0.00012,"percentile":0.01896,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28417","cwe":"CWE-86","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28417","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00918},"relatedVulnerabilities":[{"id":"CVE-2026-28417","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28417","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/79348dbbc09332130f4c860","https://github.com/vim/vim/releases/tag/v9.2.0073","https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336","http://www.openwall.com/lists/oss-security/2026/02/27/6"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28417","epss":0.00012,"percentile":0.01896,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28417","cwe":"CWE-86","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28417","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28417","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28417","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28417","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28417","epss":0.00012,"percentile":0.01896,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28417","cwe":"CWE-86","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28417","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00918},"relatedVulnerabilities":[{"id":"CVE-2026-28417","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28417","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/79348dbbc09332130f4c860","https://github.com/vim/vim/releases/tag/v9.2.0073","https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336","http://www.openwall.com/lists/oss-security/2026/02/27/6"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28417","epss":0.00012,"percentile":0.01896,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28417","cwe":"CWE-86","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28417","cwe":"CWE-78","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28417","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-41989","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-41989","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":1.5,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41989","epss":0.00015,"percentile":0.03398,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41989","cwe":"CWE-787","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.008775},"relatedVulnerabilities":[{"id":"CVE-2026-41989","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-41989","namespace":"nvd:cpe","severity":"Medium","urls":["https://dev.gnupg.org/T8211","https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html","https://www.openwall.com/lists/oss-security/2026/04/21/1"],"description":"Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":1.5,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41989","epss":0.00015,"percentile":0.03398,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41989","cwe":"CWE-787","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libgcrypt20","version":"1.11.0-7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-41989","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgcrypt20-c86a9e34e4b86f35","name":"libgcrypt20","version":"1.11.0-7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgcrypt20:libgcrypt20:1.11.0-7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgcrypt20@1.11.0-7?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-31437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31437","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0085},"relatedVulnerabilities":[{"id":"CVE-2023-31437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31437","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss-systemd-ad7265eadb35cc00","name":"libnss-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss-systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss-systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31437","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0085},"relatedVulnerabilities":[{"id":"CVE-2023-31437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31437","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpam-systemd-022f917bdf524182","name":"libpam-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libpam-systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam-systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpam-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31437","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0085},"relatedVulnerabilities":[{"id":"CVE-2023-31437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31437","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd-shared-b1ad66cbf61a8db5","name":"libsystemd-shared","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd-shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd-shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd-shared@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31437","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0085},"relatedVulnerabilities":[{"id":"CVE-2023-31437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31437","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd0-2ebc906354bc0592","name":"libsystemd0","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd0:libsystemd0:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31437","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0085},"relatedVulnerabilities":[{"id":"CVE-2023-31437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31437","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libudev1-c6f7af268569b00a","name":"libudev1","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libudev1:libudev1:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31437","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0085},"relatedVulnerabilities":[{"id":"CVE-2023-31437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31437","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-f903f3f27e740730","name":"systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd:systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-31437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31437","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0085},"relatedVulnerabilities":[{"id":"CVE-2023-31437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31437","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-cryptsetup-a05233fe9c9714fd","name":"systemd-cryptsetup","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-cryptsetup@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31437","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0085},"relatedVulnerabilities":[{"id":"CVE-2023-31437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31437","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-sysv-10669ba5f85c6427","name":"systemd-sysv","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-sysv@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31437","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0085},"relatedVulnerabilities":[{"id":"CVE-2023-31437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31437","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-timesyncd-6b431489698ee740","name":"systemd-timesyncd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-timesyncd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31437","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0085},"relatedVulnerabilities":[{"id":"CVE-2023-31437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31437","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31437","epss":0.0017,"percentile":0.37928,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2023-31437","cwe":"CWE-354","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31437","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-udev-b6036c3d10c9d62b","name":"udev","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:udev:udev:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/udev@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-28421","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28421","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28421","epss":0.00011,"percentile":0.01303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28421","cwe":"CWE-20","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28421","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.008415},"relatedVulnerabilities":[{"id":"CVE-2026-28421","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28421","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/65c1a143c331c886dc28","https://github.com/vim/vim/releases/tag/v9.2.0077","https://github.com/vim/vim/security/advisories/GHSA-r2gw-2x48-jj5p","http://www.openwall.com/lists/oss-security/2026/02/27/10"],"description":"Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28421","epss":0.00011,"percentile":0.01303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28421","cwe":"CWE-20","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28421","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28421","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28421","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28421","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28421","epss":0.00011,"percentile":0.01303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28421","cwe":"CWE-20","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28421","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.008415},"relatedVulnerabilities":[{"id":"CVE-2026-28421","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28421","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/65c1a143c331c886dc28","https://github.com/vim/vim/releases/tag/v9.2.0077","https://github.com/vim/vim/security/advisories/GHSA-r2gw-2x48-jj5p","http://www.openwall.com/lists/oss-security/2026/02/27/10"],"description":"Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28421","epss":0.00011,"percentile":0.01303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28421","cwe":"CWE-20","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28421","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28421","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28421","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28421","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28421","epss":0.00011,"percentile":0.01303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28421","cwe":"CWE-20","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28421","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.008415},"relatedVulnerabilities":[{"id":"CVE-2026-28421","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28421","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/65c1a143c331c886dc28","https://github.com/vim/vim/releases/tag/v9.2.0077","https://github.com/vim/vim/security/advisories/GHSA-r2gw-2x48-jj5p","http://www.openwall.com/lists/oss-security/2026/02/27/10"],"description":"Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28421","epss":0.00011,"percentile":0.01303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28421","cwe":"CWE-20","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28421","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28421","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-1484","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1484","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1484","epss":0.00018,"percentile":0.04531,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1484","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.008280000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-1484","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1484","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-1484","https://bugzilla.redhat.com/show_bug.cgi?id=2433259","https://gitlab.gnome.org/GNOME/glib/-/issues/3870"],"description":"A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1484","epss":0.00018,"percentile":0.04531,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1484","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1484","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gir1.2-glib-2.0-e0776636faa7c9e3","name":"gir1.2-glib-2.0","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:gir1.2-glib-2.0:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib-2.0:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib_2.0:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib_2.0:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gir1.2-glib-2.0@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-1484","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1484","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1484","epss":0.00018,"percentile":0.04531,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1484","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.008280000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-1484","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1484","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-1484","https://bugzilla.redhat.com/show_bug.cgi?id=2433259","https://gitlab.gnome.org/GNOME/glib/-/issues/3870"],"description":"A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1484","epss":0.00018,"percentile":0.04531,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1484","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1484","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-0t64-eefae290723bdc16","name":"libglib2.0-0t64","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-0t64:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-0t64:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_0t64:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_0t64:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-1484","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1484","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1484","epss":0.00018,"percentile":0.04531,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1484","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.008280000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-1484","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1484","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-1484","https://bugzilla.redhat.com/show_bug.cgi?id=2433259","https://gitlab.gnome.org/GNOME/glib/-/issues/3870"],"description":"A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1484","epss":0.00018,"percentile":0.04531,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1484","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1484","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-bin-cfa6976752b86f25","name":"libglib2.0-bin","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-bin:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-bin:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_bin:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_bin:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-bin@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-1484","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1484","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1484","epss":0.00018,"percentile":0.04531,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1484","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.008280000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-1484","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1484","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-1484","https://bugzilla.redhat.com/show_bug.cgi?id=2433259","https://gitlab.gnome.org/GNOME/glib/-/issues/3870"],"description":"A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.2,"exploitabilityScore":1.7,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1484","epss":0.00018,"percentile":0.04531,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1484","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1484","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-data-bbd4ccdf8b009a02","name":"libglib2.0-data","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-data:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-data:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_data:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_data:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-data@2.84.4-3~deb13u2?arch=all&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2007-1743","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-1743","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary UID/GID owned files if /proc is mounted.  NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because \"the attacks described rely on an insecure server configuration\" in which the user \"has write access to the document root.\"  In addition, because this is dependent on other vulnerabilities, perhaps this is resultant and should not be included in CVE.","cvss":[],"epss":[{"cve":"CVE-2007-1743","epss":0.00165,"percentile":0.37211,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-1743","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00825},"relatedVulnerabilities":[{"id":"CVE-2007-1743","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-1743","namespace":"nvd:cpe","severity":"Medium","urls":["http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511","http://marc.info/?l=apache-httpd-dev&m=117511568709063&w=2","http://marc.info/?l=apache-httpd-dev&m=117511834512138&w=2","http://www.securitytracker.com/id?1017904"],"description":"suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary UID/GID owned files if /proc is mounted.  NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because \"the attacks described rely on an insecure server configuration\" in which the user \"has write access to the document root.\"  In addition, because this is dependent on other vulnerabilities, perhaps this is resultant and should not be included in CVE.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":4.4,"exploitabilityScore":3.4,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-1743","epss":0.00165,"percentile":0.37211,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-1743","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-1743","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-e442cca4d5089982","name":"apache2","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2:apache2:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2007-1743","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-1743","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary UID/GID owned files if /proc is mounted.  NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because \"the attacks described rely on an insecure server configuration\" in which the user \"has write access to the document root.\"  In addition, because this is dependent on other vulnerabilities, perhaps this is resultant and should not be included in CVE.","cvss":[],"epss":[{"cve":"CVE-2007-1743","epss":0.00165,"percentile":0.37211,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-1743","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00825},"relatedVulnerabilities":[{"id":"CVE-2007-1743","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-1743","namespace":"nvd:cpe","severity":"Medium","urls":["http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511","http://marc.info/?l=apache-httpd-dev&m=117511568709063&w=2","http://marc.info/?l=apache-httpd-dev&m=117511834512138&w=2","http://www.securitytracker.com/id?1017904"],"description":"suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary UID/GID owned files if /proc is mounted.  NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because \"the attacks described rely on an insecure server configuration\" in which the user \"has write access to the document root.\"  In addition, because this is dependent on other vulnerabilities, perhaps this is resultant and should not be included in CVE.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":4.4,"exploitabilityScore":3.4,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-1743","epss":0.00165,"percentile":0.37211,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-1743","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-1743","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-bin-1079264b7c765d23","name":"apache2-bin","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-bin@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2007-1743","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-1743","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary UID/GID owned files if /proc is mounted.  NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because \"the attacks described rely on an insecure server configuration\" in which the user \"has write access to the document root.\"  In addition, because this is dependent on other vulnerabilities, perhaps this is resultant and should not be included in CVE.","cvss":[],"epss":[{"cve":"CVE-2007-1743","epss":0.00165,"percentile":0.37211,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-1743","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00825},"relatedVulnerabilities":[{"id":"CVE-2007-1743","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-1743","namespace":"nvd:cpe","severity":"Medium","urls":["http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511","http://marc.info/?l=apache-httpd-dev&m=117511568709063&w=2","http://marc.info/?l=apache-httpd-dev&m=117511834512138&w=2","http://www.securitytracker.com/id?1017904"],"description":"suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary UID/GID owned files if /proc is mounted.  NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because \"the attacks described rely on an insecure server configuration\" in which the user \"has write access to the document root.\"  In addition, because this is dependent on other vulnerabilities, perhaps this is resultant and should not be included in CVE.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":4.4,"exploitabilityScore":3.4,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-1743","epss":0.00165,"percentile":0.37211,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-1743","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-1743","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-data-a25605bbf0c04fae","name":"apache2-data","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-data@2.4.66-1~deb13u2?arch=all&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2007-1743","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-1743","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary UID/GID owned files if /proc is mounted.  NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because \"the attacks described rely on an insecure server configuration\" in which the user \"has write access to the document root.\"  In addition, because this is dependent on other vulnerabilities, perhaps this is resultant and should not be included in CVE.","cvss":[],"epss":[{"cve":"CVE-2007-1743","epss":0.00165,"percentile":0.37211,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-1743","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00825},"relatedVulnerabilities":[{"id":"CVE-2007-1743","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-1743","namespace":"nvd:cpe","severity":"Medium","urls":["http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511","http://marc.info/?l=apache-httpd-dev&m=117511568709063&w=2","http://marc.info/?l=apache-httpd-dev&m=117511834512138&w=2","http://www.securitytracker.com/id?1017904"],"description":"suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary UID/GID owned files if /proc is mounted.  NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because \"the attacks described rely on an insecure server configuration\" in which the user \"has write access to the document root.\"  In addition, because this is dependent on other vulnerabilities, perhaps this is resultant and should not be included in CVE.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":4.4,"exploitabilityScore":3.4,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-1743","epss":0.00165,"percentile":0.37211,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-1743","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-1743","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-utils-6b7395e8b8084cf1","name":"apache2-utils","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-utils@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2025-68468","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68468","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68468","epss":0.00014,"percentile":0.0262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68468","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00805},"relatedVulnerabilities":[{"id":"CVE-2025-68468","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68468","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a","https://github.com/avahi/avahi/issues/683","https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68468","epss":0.00014,"percentile":0.0262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68468","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68468","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-avahi-daemon-d209761e50802ac7","name":"avahi-daemon","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:avahi-daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi-daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi_daemon:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/avahi-daemon@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-68468","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68468","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68468","epss":0.00014,"percentile":0.0262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68468","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00805},"relatedVulnerabilities":[{"id":"CVE-2025-68468","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68468","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a","https://github.com/avahi/avahi/issues/683","https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68468","epss":0.00014,"percentile":0.0262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68468","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68468","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common-data-5cdf5a55d2d34a04","name":"libavahi-common-data","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common-data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common-data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common_data:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common-data@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-68468","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68468","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68468","epss":0.00014,"percentile":0.0262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68468","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00805},"relatedVulnerabilities":[{"id":"CVE-2025-68468","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68468","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a","https://github.com/avahi/avahi/issues/683","https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68468","epss":0.00014,"percentile":0.0262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68468","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68468","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common3-a28bb129f3d19912","name":"libavahi-common3","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common3:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common3@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-68468","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68468","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68468","epss":0.00014,"percentile":0.0262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68468","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00805},"relatedVulnerabilities":[{"id":"CVE-2025-68468","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68468","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a","https://github.com/avahi/avahi/issues/683","https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68468","epss":0.00014,"percentile":0.0262,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68468","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68468","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-core7-af273c4b4622548b","name":"libavahi-core7","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_core7:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-core7@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-6100","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6100","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.","cvss":[],"epss":[{"cve":"CVE-2026-6100","epss":0.00151,"percentile":0.35274,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6100","cwe":"CWE-416","source":"cna@python.org","type":"Secondary"},{"cve":"CVE-2026-6100","cwe":"CWE-787","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00755},"relatedVulnerabilities":[{"id":"CVE-2026-6100","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6100","namespace":"nvd:cpe","severity":"Critical","urls":["https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e","https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d","https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2","https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20","https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b","https://github.com/python/cpython/issues/148395","https://github.com/python/cpython/pull/148396","https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/","http://www.openwall.com/lists/oss-security/2026/04/13/10"],"description":"Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\n\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":9.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6100","epss":0.00151,"percentile":0.35274,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6100","cwe":"CWE-416","source":"cna@python.org","type":"Secondary"},{"cve":"CVE-2026-6100","cwe":"CWE-787","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6100","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-6100","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6100","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.","cvss":[],"epss":[{"cve":"CVE-2026-6100","epss":0.00151,"percentile":0.35274,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6100","cwe":"CWE-416","source":"cna@python.org","type":"Secondary"},{"cve":"CVE-2026-6100","cwe":"CWE-787","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00755},"relatedVulnerabilities":[{"id":"CVE-2026-6100","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6100","namespace":"nvd:cpe","severity":"Critical","urls":["https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e","https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d","https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2","https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20","https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b","https://github.com/python/cpython/issues/148395","https://github.com/python/cpython/pull/148396","https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/","http://www.openwall.com/lists/oss-security/2026/04/13/10"],"description":"Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\n\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":9.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6100","epss":0.00151,"percentile":0.35274,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6100","cwe":"CWE-416","source":"cna@python.org","type":"Secondary"},{"cve":"CVE-2026-6100","cwe":"CWE-787","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6100","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-6100","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6100","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.","cvss":[],"epss":[{"cve":"CVE-2026-6100","epss":0.00151,"percentile":0.35274,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6100","cwe":"CWE-416","source":"cna@python.org","type":"Secondary"},{"cve":"CVE-2026-6100","cwe":"CWE-787","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00755},"relatedVulnerabilities":[{"id":"CVE-2026-6100","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6100","namespace":"nvd:cpe","severity":"Critical","urls":["https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e","https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d","https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2","https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20","https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b","https://github.com/python/cpython/issues/148395","https://github.com/python/cpython/pull/148396","https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/","http://www.openwall.com/lists/oss-security/2026/04/13/10"],"description":"Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\n\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":9.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6100","epss":0.00151,"percentile":0.35274,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6100","cwe":"CWE-416","source":"cna@python.org","type":"Secondary"},{"cve":"CVE-2026-6100","cwe":"CWE-787","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6100","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-6100","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6100","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.","cvss":[],"epss":[{"cve":"CVE-2026-6100","epss":0.00151,"percentile":0.35274,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6100","cwe":"CWE-416","source":"cna@python.org","type":"Secondary"},{"cve":"CVE-2026-6100","cwe":"CWE-787","source":"cna@python.org","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00755},"relatedVulnerabilities":[{"id":"CVE-2026-6100","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6100","namespace":"nvd:cpe","severity":"Critical","urls":["https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e","https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d","https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2","https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20","https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b","https://github.com/python/cpython/issues/148395","https://github.com/python/cpython/pull/148396","https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/","http://www.openwall.com/lists/oss-security/2026/04/13/10"],"description":"Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\n\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":9.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6100","epss":0.00151,"percentile":0.35274,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6100","cwe":"CWE-416","source":"cna@python.org","type":"Secondary"},{"cve":"CVE-2026-6100","cwe":"CWE-787","source":"cna@python.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6100","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-69650","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69650","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.007450000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69650","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69650","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69650","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-69650","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69650","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.007450000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69650","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69650","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69650","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69650","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69650","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.007450000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69650","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69650","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69650","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69650","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69650","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.007450000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69650","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69650","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69650","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69650","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69650","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.007450000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69650","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69650","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69650","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69650","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69650","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.007450000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69650","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69650","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69650","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69650","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69650","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.007450000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69650","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69650","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69650","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69650","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69650","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.007450000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69650","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69650","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69650","epss":0.00149,"percentile":0.35033,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2025-69650","cwe":"CWE-415","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69650","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-33412","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-33412","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.3,"exploitabilityScore":1.4,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-33412","epss":0.0001,"percentile":0.01147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-33412","cwe":"CWE-78","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0073999999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-33412","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-33412","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a","https://github.com/vim/vim/releases/tag/v9.2.0202","https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c","http://www.openwall.com/lists/oss-security/2026/03/19/10"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.3,"exploitabilityScore":1.4,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N","metrics":{"baseScore":5.6,"exploitabilityScore":1.4,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-33412","epss":0.0001,"percentile":0.01147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-33412","cwe":"CWE-78","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-33412","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-33412","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-33412","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.3,"exploitabilityScore":1.4,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-33412","epss":0.0001,"percentile":0.01147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-33412","cwe":"CWE-78","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0073999999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-33412","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-33412","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a","https://github.com/vim/vim/releases/tag/v9.2.0202","https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c","http://www.openwall.com/lists/oss-security/2026/03/19/10"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.3,"exploitabilityScore":1.4,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N","metrics":{"baseScore":5.6,"exploitabilityScore":1.4,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-33412","epss":0.0001,"percentile":0.01147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-33412","cwe":"CWE-78","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-33412","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-33412","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-33412","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.3,"exploitabilityScore":1.4,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-33412","epss":0.0001,"percentile":0.01147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-33412","cwe":"CWE-78","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0073999999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-33412","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-33412","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a","https://github.com/vim/vim/releases/tag/v9.2.0202","https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c","http://www.openwall.com/lists/oss-security/2026/03/19/10"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.3,"exploitabilityScore":1.4,"impactScore":5.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N","metrics":{"baseScore":5.6,"exploitabilityScore":1.4,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-33412","epss":0.0001,"percentile":0.01147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-33412","cwe":"CWE-78","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-33412","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bsdextrautils-c23db0b188308a2a","name":"bsdextrautils","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:bsdextrautils:bsdextrautils:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bsdextrautils@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bsdutils-e11ccc6cace058fe","name":"bsdutils","version":"1:2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:bsdutils:bsdutils:1\\:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bsdutils@1%3A2.41-5?arch=arm64&distro=debian-13&upstream=util-linux%402.41-5","upstreams":[{"name":"util-linux","version":"2.41-5"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-eject-ea768bbeeffb7a52","name":"eject","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:eject:eject:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/eject@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-fdisk-ec3e750aea21e029","name":"fdisk","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:fdisk:fdisk:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/fdisk@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libblkid1-56b1dc826d98b9e9","name":"libblkid1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libblkid1:libblkid1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libblkid1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libfdisk1-bbbefcb8907b3bd7","name":"libfdisk1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libfdisk1:libfdisk1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libfdisk1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-liblastlog2-2-ad0e084a4ff7b411","name":"liblastlog2-2","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:liblastlog2-2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2-2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2_2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2_2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/liblastlog2-2@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libmount1-66459d6a2e55223e","name":"libmount1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libmount1:libmount1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libmount1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsmartcols1-92fb21c80f37cd86","name":"libsmartcols1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsmartcols1:libsmartcols1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsmartcols1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libuuid1-fd028c3811b88694","name":"libuuid1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libuuid1:libuuid1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libuuid1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-login-b08f21232e226b47","name":"login","version":"1:4.16.0-2+really2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:login:login:1\\:4.16.0-2\\+really2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/login@1%3A4.16.0-2%2Breally2.41-5?arch=arm64&distro=debian-13&upstream=util-linux%402.41-5","upstreams":[{"name":"util-linux","version":"2.41-5"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-mount-2a84395d15f466a5","name":"mount","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:mount:mount:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/mount@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-rfkill-6166963bfe2df59a","name":"rfkill","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:rfkill:rfkill:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/rfkill@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2026-27456","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27456","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007274999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-27456","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27456","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4","https://github.com/util-linux/util-linux/releases/tag/v2.41.4","https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"],"description":"util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27456","epss":0.00015,"percentile":0.03147,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27456","cwe":"CWE-59","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-269","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-27456","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27456","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-util-linux-ffaa6c8a5d0e2ea9","name":"util-linux","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:util-linux:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util-linux:util_linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util_linux:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util_linux:util_linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util:util_linux:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/util-linux@2.41-5?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-0989","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0989","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0989","epss":0.00021,"percentile":0.05734,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0989","cwe":"CWE-674","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.007034999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-0989","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0989","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7519","https://access.redhat.com/security/cve/CVE-2026-0989","https://bugzilla.redhat.com/show_bug.cgi?id=2429933","https://gitlab.gnome.org/GNOME/libxml2/-/issues/998"],"description":"A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0989","epss":0.00021,"percentile":0.05734,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0989","cwe":"CWE-674","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0989","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libxml2-5856779bb2cc8107","name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2","type":"deb","locations":null,"language":"","licenses":["ISC AND LicenseRef-MIT-1"],"cpes":["cpe:2.3:a:libxml2:libxml2:2.12.7\\+dfsg\\+really2.9.14-2.1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-4105","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4105","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00702},"relatedVulnerabilities":[{"id":"CVE-2026-4105","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4105","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4105","https://bugzilla.redhat.com/show_bug.cgi?id=2447262","https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862"],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4105","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss-systemd-ad7265eadb35cc00","name":"libnss-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss-systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss-systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-4105","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4105","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00702},"relatedVulnerabilities":[{"id":"CVE-2026-4105","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4105","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4105","https://bugzilla.redhat.com/show_bug.cgi?id=2447262","https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862"],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4105","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpam-systemd-022f917bdf524182","name":"libpam-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libpam-systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam-systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpam-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-4105","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4105","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00702},"relatedVulnerabilities":[{"id":"CVE-2026-4105","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4105","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4105","https://bugzilla.redhat.com/show_bug.cgi?id=2447262","https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862"],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4105","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd-shared-b1ad66cbf61a8db5","name":"libsystemd-shared","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd-shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd-shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd-shared@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-4105","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4105","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00702},"relatedVulnerabilities":[{"id":"CVE-2026-4105","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4105","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4105","https://bugzilla.redhat.com/show_bug.cgi?id=2447262","https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862"],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4105","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd0-2ebc906354bc0592","name":"libsystemd0","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd0:libsystemd0:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-4105","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4105","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00702},"relatedVulnerabilities":[{"id":"CVE-2026-4105","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4105","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4105","https://bugzilla.redhat.com/show_bug.cgi?id=2447262","https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862"],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4105","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libudev1-c6f7af268569b00a","name":"libudev1","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libudev1:libudev1:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-4105","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4105","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00702},"relatedVulnerabilities":[{"id":"CVE-2026-4105","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4105","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4105","https://bugzilla.redhat.com/show_bug.cgi?id=2447262","https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862"],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4105","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-f903f3f27e740730","name":"systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd:systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-4105","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4105","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00702},"relatedVulnerabilities":[{"id":"CVE-2026-4105","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4105","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4105","https://bugzilla.redhat.com/show_bug.cgi?id=2447262","https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862"],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4105","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-cryptsetup-a05233fe9c9714fd","name":"systemd-cryptsetup","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-cryptsetup@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-4105","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4105","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00702},"relatedVulnerabilities":[{"id":"CVE-2026-4105","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4105","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4105","https://bugzilla.redhat.com/show_bug.cgi?id=2447262","https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862"],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4105","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-sysv-10669ba5f85c6427","name":"systemd-sysv","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-sysv@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-4105","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4105","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00702},"relatedVulnerabilities":[{"id":"CVE-2026-4105","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4105","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4105","https://bugzilla.redhat.com/show_bug.cgi?id=2447262","https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862"],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4105","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-timesyncd-6b431489698ee740","name":"systemd-timesyncd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-timesyncd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-4105","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4105","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00702},"relatedVulnerabilities":[{"id":"CVE-2026-4105","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4105","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4105","https://bugzilla.redhat.com/show_bug.cgi?id=2447262","https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862"],"description":"A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4105","epss":0.00012,"percentile":0.01732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4105","cwe":"CWE-284","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4105","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-udev-b6036c3d10c9d62b","name":"udev","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:udev:udev:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/udev@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-45927","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-45927","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"S-Lang 2.3.2 was discovered to contain an arithmetic exception via the function tt_sprintf().","cvss":[],"epss":[{"cve":"CVE-2023-45927","epss":0.0014,"percentile":0.33685,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-45927","cwe":"CWE-703","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.007000000000000001},"relatedVulnerabilities":[{"id":"CVE-2023-45927","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-45927","namespace":"nvd:cpe","severity":"Critical","urls":["http://lists.jedsoft.org/lists/slang-users/2023/0000003.html","https://seclists.org/fulldisclosure/2024/Jan/55","http://seclists.org/fulldisclosure/2024/Jan/55"],"description":"S-Lang 2.3.2 was discovered to contain an arithmetic exception via the function tt_sprintf().","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","metrics":{"baseScore":9.1,"exploitabilityScore":3.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-45927","epss":0.0014,"percentile":0.33685,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-45927","cwe":"CWE-703","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"slang2","version":"2.3.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-45927","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libslang2-88a5e612e350890e","name":"libslang2","version":"2.3.3-5+b2","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:libslang2:libslang2:2.3.3-5\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libslang2@2.3.3-5%2Bb2?arch=arm64&distro=debian-13&upstream=slang2%402.3.3-5","upstreams":[{"name":"slang2","version":"2.3.3-5"}]}},{"vulnerability":{"id":"CVE-2002-1976","dataSource":"https://security-tracker.debian.org/tracker/CVE-2002-1976","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"ifconfig, when used on the Linux kernel 2.2 and later, does not report when the network interface is in promiscuous mode if it was put in promiscuous mode using PACKET_MR_PROMISC, which could allow attackers to sniff the network without detection, as demonstrated using libpcap.","cvss":[],"epss":[{"cve":"CVE-2002-1976","epss":0.00134,"percentile":0.32849,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2002-1976","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2002-1976","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2002-1976","namespace":"nvd:cpe","severity":"Low","urls":["http://archives.neohapsis.com/archives/bugtraq/2002-07/0279.html","http://online.securityfocus.com/archive/1/284142","http://online.securityfocus.com/archive/1/284257","http://www.iss.net/security_center/static/9676.php","http://www.securityfocus.com/bid/5304"],"description":"ifconfig, when used on the Linux kernel 2.2 and later, does not report when the network interface is in promiscuous mode if it was put in promiscuous mode using PACKET_MR_PROMISC, which could allow attackers to sniff the network without detection, as demonstrated using libpcap.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2002-1976","epss":0.00134,"percentile":0.32849,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2002-1976","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"net-tools","version":"2.10-1.3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2002-1976","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-net-tools-f01a292e259c8b50","name":"net-tools","version":"2.10-1.3","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:net-tools:net-tools:2.10-1.3:*:*:*:*:*:*:*","cpe:2.3:a:net-tools:net_tools:2.10-1.3:*:*:*:*:*:*:*","cpe:2.3:a:net_tools:net-tools:2.10-1.3:*:*:*:*:*:*:*","cpe:2.3:a:net_tools:net_tools:2.10-1.3:*:*:*:*:*:*:*","cpe:2.3:a:net:net-tools:2.10-1.3:*:*:*:*:*:*:*","cpe:2.3:a:net:net_tools:2.10-1.3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/net-tools@2.10-1.3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2015-3243","dataSource":"https://security-tracker.debian.org/tracker/CVE-2015-3243","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron.","cvss":[],"epss":[{"cve":"CVE-2015-3243","epss":0.00134,"percentile":0.32593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2015-3243","cwe":"CWE-532","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2015-3243","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2015-3243","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.openwall.com/lists/oss-security/2015/06/18/12","http://www.openwall.com/lists/oss-security/2015/06/20/3","http://www.securityfocus.com/bid/75298","http://www.securitytracker.com/id/1032885","https://bugzilla.redhat.com/show_bug.cgi?id=1232826"],"description":"rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2015-3243","epss":0.00134,"percentile":0.32593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2015-3243","cwe":"CWE-532","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"rsyslog","version":"8.2504.0-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2015-3243","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-rsyslog-b33465fc27c3e6c2","name":"rsyslog","version":"8.2504.0-1","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-3-Clause AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:rsyslog:rsyslog:8.2504.0-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/rsyslog@8.2504.0-1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-31438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31438","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2023-31438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31438","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28886","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss-systemd-ad7265eadb35cc00","name":"libnss-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss-systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss-systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31438","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2023-31438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31438","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28886","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpam-systemd-022f917bdf524182","name":"libpam-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libpam-systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam-systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpam-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31438","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2023-31438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31438","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28886","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd-shared-b1ad66cbf61a8db5","name":"libsystemd-shared","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd-shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd-shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd-shared@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31438","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2023-31438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31438","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28886","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd0-2ebc906354bc0592","name":"libsystemd0","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd0:libsystemd0:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31438","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2023-31438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31438","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28886","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libudev1-c6f7af268569b00a","name":"libudev1","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libudev1:libudev1:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31438","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2023-31438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31438","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28886","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-f903f3f27e740730","name":"systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd:systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-31438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31438","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2023-31438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31438","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28886","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-cryptsetup-a05233fe9c9714fd","name":"systemd-cryptsetup","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-cryptsetup@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31438","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2023-31438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31438","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28886","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-sysv-10669ba5f85c6427","name":"systemd-sysv","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-sysv@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31438","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2023-31438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31438","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28886","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-timesyncd-6b431489698ee740","name":"systemd-timesyncd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-timesyncd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31438","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0067},"relatedVulnerabilities":[{"id":"CVE-2023-31438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31438","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28886","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31438","epss":0.00134,"percentile":0.32592,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31438","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31438","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-udev-b6036c3d10c9d62b","name":"udev","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:udev:udev:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/udev@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2019-1010022","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010022","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010022","epss":0.00131,"percentile":0.3228,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010022","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00655},"relatedVulnerabilities":[{"id":"CVE-2019-1010022","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010022","namespace":"nvd:cpe","severity":"Critical","urls":["https://security-tracker.debian.org/tracker/CVE-2019-1010022","https://sourceware.org/bugzilla/show_bug.cgi?id=22850","https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3","https://ubuntu.com/security/CVE-2019-1010022"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":7.5,"exploitabilityScore":10,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010022","epss":0.00131,"percentile":0.3228,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010022","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010022","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-bin-b1811065197eb903","name":"libc-bin","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_bin:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_bin:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-bin@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010022","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010022","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010022","epss":0.00131,"percentile":0.3228,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010022","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00655},"relatedVulnerabilities":[{"id":"CVE-2019-1010022","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010022","namespace":"nvd:cpe","severity":"Critical","urls":["https://security-tracker.debian.org/tracker/CVE-2019-1010022","https://sourceware.org/bugzilla/show_bug.cgi?id=22850","https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3","https://ubuntu.com/security/CVE-2019-1010022"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":7.5,"exploitabilityScore":10,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010022","epss":0.00131,"percentile":0.3228,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010022","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010022","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc-l10n-26dfd186b4d34c81","name":"libc-l10n","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc-l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc-l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc_l10n:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc-l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libc:libc_l10n:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc-l10n@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010022","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010022","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010022","epss":0.00131,"percentile":0.3228,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010022","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00655},"relatedVulnerabilities":[{"id":"CVE-2019-1010022","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010022","namespace":"nvd:cpe","severity":"Critical","urls":["https://security-tracker.debian.org/tracker/CVE-2019-1010022","https://sourceware.org/bugzilla/show_bug.cgi?id=22850","https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3","https://ubuntu.com/security/CVE-2019-1010022"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":7.5,"exploitabilityScore":10,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010022","epss":0.00131,"percentile":0.3228,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010022","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010022","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libc6-e52229e5146347bb","name":"libc6","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Brpt1%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010022","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010022","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010022","epss":0.00131,"percentile":0.3228,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010022","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00655},"relatedVulnerabilities":[{"id":"CVE-2019-1010022","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010022","namespace":"nvd:cpe","severity":"Critical","urls":["https://security-tracker.debian.org/tracker/CVE-2019-1010022","https://sourceware.org/bugzilla/show_bug.cgi?id=22850","https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3","https://ubuntu.com/security/CVE-2019-1010022"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":7.5,"exploitabilityScore":10,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010022","epss":0.00131,"percentile":0.3228,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-1010022","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+rpt1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010022","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-locales-cda209580b7afd66","name":"locales","version":"2.41-12+rpt1+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND LicenseRef-BSD-3-clause-Berkeley AND LicenseRef-BSD-3-clause-Carnegie AND LicenseRef-BSD-3-clause-Oracle AND LicenseRef-BSD-3-clause-WIDE AND LicenseRef-BSD-like-Spencer AND BSL-1.0 AND LicenseRef-CORE-MATH AND LicenseRef-Carnegie AND LicenseRef-DEC AND FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-GPL-2--with-link-exception AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-IBM AND ISC AND LicenseRef-Inner-Net AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-LGPL-2.1--with-link-exception AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-MIT-like-Lord AND LicenseRef-PCRE AND SunPro AND Unicode-DFS-2016 AND LicenseRef-Univ-Coimbra AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:locales:locales:2.41-12\\+rpt1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/locales@2.41-12%2Brpt1%2Bdeb13u2?arch=all&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2025-5278","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5278","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.","cvss":[],"epss":[{"cve":"CVE-2025-5278","epss":0.0013,"percentile":0.3203,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5278","cwe":"CWE-121","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0065},"relatedVulnerabilities":[{"id":"CVE-2025-5278","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5278","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2025-5278","https://bugzilla.redhat.com/show_bug.cgi?id=2368764","https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633","http://www.openwall.com/lists/oss-security/2025/05/27/2","http://www.openwall.com/lists/oss-security/2025/05/29/1","http://www.openwall.com/lists/oss-security/2025/05/29/2","https://cgit.git.savannah.gnu.org/cgit/coreutils.git/tree/NEWS?id=8c9602e3a145e9596dc1a63c6ed67865814b6633#n14","https://security-tracker.debian.org/tracker/CVE-2025-5278"],"description":"A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5278","epss":0.0013,"percentile":0.3203,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5278","cwe":"CWE-121","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"coreutils","version":"9.7-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5278","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-coreutils-2993da8365e6c3ce","name":"coreutils","version":"9.7-3","type":"deb","locations":null,"language":"","licenses":["BSD-4-Clause-UC AND FSFULLR AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-3.0-only AND GPL-3.0-or-later AND ISC"],"cpes":["cpe:2.3:a:coreutils:coreutils:9.7-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/coreutils@9.7-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-0992","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-0992","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0992","epss":0.00022,"percentile":0.05989,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0992","cwe":"CWE-400","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.006490000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-0992","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-0992","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/errata/RHSA-2026:7519","https://access.redhat.com/security/cve/CVE-2026-0992","https://bugzilla.redhat.com/show_bug.cgi?id=2429975","https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019"],"description":"A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-0992","epss":0.00022,"percentile":0.05989,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-0992","cwe":"CWE-400","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-0992","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libxml2-5856779bb2cc8107","name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2","type":"deb","locations":null,"language":"","licenses":["ISC AND LicenseRef-MIT-1"],"cpes":["cpe:2.3:a:libxml2:libxml2:2.12.7\\+dfsg\\+really2.9.14-2.1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2017-15131","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-15131","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"It was found that system umask policy is not being honored when creating XDG user directories, since Xsession sources xdg-user-dirs.sh before setting umask policy. This only affects xdg-user-dirs before 0.15.5 as shipped with Red Hat Enterprise Linux.","cvss":[],"epss":[{"cve":"CVE-2017-15131","epss":0.00129,"percentile":0.3185,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-15131","cwe":"CWE-284","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2017-15131","cwe":"CWE-276","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.006449999999999999},"relatedVulnerabilities":[{"id":"CVE-2017-15131","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-15131","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/errata/RHSA-2018:0842","https://bugzilla.redhat.com/show_bug.cgi?id=1412762","https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"],"description":"It was found that system umask policy is not being honored when creating XDG user directories, since Xsession sources xdg-user-dirs.sh before setting umask policy. This only affects xdg-user-dirs before 0.15.5 as shipped with Red Hat Enterprise Linux.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":4.6,"exploitabilityScore":4,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-15131","epss":0.00129,"percentile":0.3185,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-15131","cwe":"CWE-284","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2017-15131","cwe":"CWE-276","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"xdg-user-dirs","version":"0.18-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-15131","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xdg-user-dirs-c10d9b97069a751e","name":"xdg-user-dirs","version":"0.18-2","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:xdg-user-dirs:xdg-user-dirs:0.18-2:*:*:*:*:*:*:*","cpe:2.3:a:xdg-user-dirs:xdg_user_dirs:0.18-2:*:*:*:*:*:*:*","cpe:2.3:a:xdg_user_dirs:xdg-user-dirs:0.18-2:*:*:*:*:*:*:*","cpe:2.3:a:xdg_user_dirs:xdg_user_dirs:0.18-2:*:*:*:*:*:*:*","cpe:2.3:a:xdg-user:xdg-user-dirs:0.18-2:*:*:*:*:*:*:*","cpe:2.3:a:xdg-user:xdg_user_dirs:0.18-2:*:*:*:*:*:*:*","cpe:2.3:a:xdg_user:xdg-user-dirs:0.18-2:*:*:*:*:*:*:*","cpe:2.3:a:xdg_user:xdg_user_dirs:0.18-2:*:*:*:*:*:*:*","cpe:2.3:a:xdg:xdg-user-dirs:0.18-2:*:*:*:*:*:*:*","cpe:2.3:a:xdg:xdg_user_dirs:0.18-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xdg-user-dirs@0.18-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-45929","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-45929","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"S-Lang 2.3.2 was discovered to contain a segmentation fault via the function fixup_tgetstr().","cvss":[],"epss":[{"cve":"CVE-2023-45929","epss":0.00126,"percentile":0.31546,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-45929","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0063},"relatedVulnerabilities":[{"id":"CVE-2023-45929","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-45929","namespace":"nvd:cpe","severity":"Critical","urls":["http://lists.jedsoft.org/lists/slang-users/2023/0000002.html","http://seclists.org/fulldisclosure/2024/Jan/57"],"description":"S-Lang 2.3.2 was discovered to contain a segmentation fault via the function fixup_tgetstr().","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","metrics":{"baseScore":9.1,"exploitabilityScore":3.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-45929","epss":0.00126,"percentile":0.31546,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-45929","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"slang2","version":"2.3.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-45929","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libslang2-88a5e612e350890e","name":"libslang2","version":"2.3.3-5+b2","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:libslang2:libslang2:2.3.3-5\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libslang2@2.3.3-5%2Bb2?arch=arm64&distro=debian-13&upstream=slang2%402.3.3-5","upstreams":[{"name":"slang2","version":"2.3.3-5"}]}},{"vulnerability":{"id":"CVE-2023-31439","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31439","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00625},"relatedVulnerabilities":[{"id":"CVE-2023-31439","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31439","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28885","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31439","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss-systemd-ad7265eadb35cc00","name":"libnss-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss-systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss-systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31439","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31439","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00625},"relatedVulnerabilities":[{"id":"CVE-2023-31439","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31439","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28885","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31439","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpam-systemd-022f917bdf524182","name":"libpam-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libpam-systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam-systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpam-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31439","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31439","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00625},"relatedVulnerabilities":[{"id":"CVE-2023-31439","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31439","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28885","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31439","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd-shared-b1ad66cbf61a8db5","name":"libsystemd-shared","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd-shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd-shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd-shared@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31439","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31439","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00625},"relatedVulnerabilities":[{"id":"CVE-2023-31439","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31439","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28885","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31439","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd0-2ebc906354bc0592","name":"libsystemd0","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd0:libsystemd0:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31439","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31439","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00625},"relatedVulnerabilities":[{"id":"CVE-2023-31439","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31439","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28885","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31439","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libudev1-c6f7af268569b00a","name":"libudev1","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libudev1:libudev1:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31439","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31439","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00625},"relatedVulnerabilities":[{"id":"CVE-2023-31439","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31439","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28885","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31439","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-f903f3f27e740730","name":"systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd:systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2023-31439","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31439","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00625},"relatedVulnerabilities":[{"id":"CVE-2023-31439","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31439","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28885","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31439","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-cryptsetup-a05233fe9c9714fd","name":"systemd-cryptsetup","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-cryptsetup@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31439","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31439","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00625},"relatedVulnerabilities":[{"id":"CVE-2023-31439","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31439","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28885","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31439","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-sysv-10669ba5f85c6427","name":"systemd-sysv","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-sysv@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31439","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31439","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00625},"relatedVulnerabilities":[{"id":"CVE-2023-31439","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31439","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28885","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31439","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-timesyncd-6b431489698ee740","name":"systemd-timesyncd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-timesyncd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2023-31439","dataSource":"https://security-tracker.debian.org/tracker/CVE-2023-31439","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00625},"relatedVulnerabilities":[{"id":"CVE-2023-31439","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-31439","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/kastel-security/Journald","https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf","https://github.com/systemd/systemd/pull/28885","https://github.com/systemd/systemd/releases"],"description":"An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-31439","epss":0.00125,"percentile":0.31367,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2023-31439","cwe":"CWE-354","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2023-31439","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-udev-b6036c3d10c9d62b","name":"udev","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:udev:udev:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/udev@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2021-32256","dataSource":"https://security-tracker.debian.org/tracker/CVE-2021-32256","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.006200000000000001},"relatedVulnerabilities":[{"id":"CVE-2021-32256","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-32256","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1927070","https://security.netapp.com/advisory/ntap-20230824-0013/"],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2021-32256","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2021-32256","dataSource":"https://security-tracker.debian.org/tracker/CVE-2021-32256","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.006200000000000001},"relatedVulnerabilities":[{"id":"CVE-2021-32256","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-32256","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1927070","https://security.netapp.com/advisory/ntap-20230824-0013/"],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2021-32256","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2021-32256","dataSource":"https://security-tracker.debian.org/tracker/CVE-2021-32256","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.006200000000000001},"relatedVulnerabilities":[{"id":"CVE-2021-32256","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-32256","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1927070","https://security.netapp.com/advisory/ntap-20230824-0013/"],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2021-32256","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2021-32256","dataSource":"https://security-tracker.debian.org/tracker/CVE-2021-32256","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.006200000000000001},"relatedVulnerabilities":[{"id":"CVE-2021-32256","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-32256","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1927070","https://security.netapp.com/advisory/ntap-20230824-0013/"],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2021-32256","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2021-32256","dataSource":"https://security-tracker.debian.org/tracker/CVE-2021-32256","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.006200000000000001},"relatedVulnerabilities":[{"id":"CVE-2021-32256","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-32256","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1927070","https://security.netapp.com/advisory/ntap-20230824-0013/"],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2021-32256","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2021-32256","dataSource":"https://security-tracker.debian.org/tracker/CVE-2021-32256","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.006200000000000001},"relatedVulnerabilities":[{"id":"CVE-2021-32256","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-32256","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1927070","https://security.netapp.com/advisory/ntap-20230824-0013/"],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2021-32256","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2021-32256","dataSource":"https://security-tracker.debian.org/tracker/CVE-2021-32256","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.006200000000000001},"relatedVulnerabilities":[{"id":"CVE-2021-32256","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-32256","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1927070","https://security.netapp.com/advisory/ntap-20230824-0013/"],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2021-32256","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2021-32256","dataSource":"https://security-tracker.debian.org/tracker/CVE-2021-32256","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.006200000000000001},"relatedVulnerabilities":[{"id":"CVE-2021-32256","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-32256","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1927070","https://security.netapp.com/advisory/ntap-20230824-0013/"],"description":"An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-32256","epss":0.00124,"percentile":0.31164,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2021-32256","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2021-32256","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69720","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69720","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69720","epss":0.00008,"percentile":0.00814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69720","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"},{"cve":"CVE-2025-69720","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.006120000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69720","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69720","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/Cao-Wuhui/CVE-2025-69720","https://invisible-island.net/archives/ncurses/6.5/","https://invisible-island.net/ncurses/","https://marc.info/?l=ncurses-bug&m=176539968328570&w=2","https://marc.info/?l=ncurses-bug&m=176540731801330&w=2","https://marc.info/?l=ncurses-bug&m=176545557728083&w=2"],"description":"The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":1.9,"impactScore":5.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69720","epss":0.00008,"percentile":0.00814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69720","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"},{"cve":"CVE-2025-69720","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ncurses","version":"6.5+20250216-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69720","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libncursesw6-32e2516577af1ce8","name":"libncursesw6","version":"6.5+20250216-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-MIT-X11 AND X11"],"cpes":["cpe:2.3:a:libncursesw6:libncursesw6:6.5\\+20250216-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libncursesw6@6.5%2B20250216-2?arch=arm64&distro=debian-13&upstream=ncurses","upstreams":[{"name":"ncurses"}]}},{"vulnerability":{"id":"CVE-2025-69720","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69720","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69720","epss":0.00008,"percentile":0.00814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69720","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"},{"cve":"CVE-2025-69720","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.006120000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69720","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69720","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/Cao-Wuhui/CVE-2025-69720","https://invisible-island.net/archives/ncurses/6.5/","https://invisible-island.net/ncurses/","https://marc.info/?l=ncurses-bug&m=176539968328570&w=2","https://marc.info/?l=ncurses-bug&m=176540731801330&w=2","https://marc.info/?l=ncurses-bug&m=176545557728083&w=2"],"description":"The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":1.9,"impactScore":5.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69720","epss":0.00008,"percentile":0.00814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69720","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"},{"cve":"CVE-2025-69720","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ncurses","version":"6.5+20250216-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69720","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libtinfo6-109ce5d685f813c6","name":"libtinfo6","version":"6.5+20250216-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-MIT-X11 AND X11"],"cpes":["cpe:2.3:a:libtinfo6:libtinfo6:6.5\\+20250216-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libtinfo6@6.5%2B20250216-2?arch=arm64&distro=debian-13&upstream=ncurses","upstreams":[{"name":"ncurses"}]}},{"vulnerability":{"id":"CVE-2025-69720","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69720","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69720","epss":0.00008,"percentile":0.00814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69720","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"},{"cve":"CVE-2025-69720","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.006120000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69720","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69720","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/Cao-Wuhui/CVE-2025-69720","https://invisible-island.net/archives/ncurses/6.5/","https://invisible-island.net/ncurses/","https://marc.info/?l=ncurses-bug&m=176539968328570&w=2","https://marc.info/?l=ncurses-bug&m=176540731801330&w=2","https://marc.info/?l=ncurses-bug&m=176545557728083&w=2"],"description":"The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":1.9,"impactScore":5.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69720","epss":0.00008,"percentile":0.00814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69720","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"},{"cve":"CVE-2025-69720","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ncurses","version":"6.5+20250216-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69720","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-ncurses-base-3f9378db54aaac9e","name":"ncurses-base","version":"6.5+20250216-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-MIT-X11 AND X11"],"cpes":["cpe:2.3:a:ncurses-base:ncurses-base:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses-base:ncurses_base:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_base:ncurses-base:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_base:ncurses_base:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses-base:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses_base:6.5\\+20250216-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/ncurses-base@6.5%2B20250216-2?arch=all&distro=debian-13&upstream=ncurses","upstreams":[{"name":"ncurses"}]}},{"vulnerability":{"id":"CVE-2025-69720","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69720","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69720","epss":0.00008,"percentile":0.00814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69720","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"},{"cve":"CVE-2025-69720","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.006120000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69720","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69720","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/Cao-Wuhui/CVE-2025-69720","https://invisible-island.net/archives/ncurses/6.5/","https://invisible-island.net/ncurses/","https://marc.info/?l=ncurses-bug&m=176539968328570&w=2","https://marc.info/?l=ncurses-bug&m=176540731801330&w=2","https://marc.info/?l=ncurses-bug&m=176545557728083&w=2"],"description":"The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":1.9,"impactScore":5.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69720","epss":0.00008,"percentile":0.00814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69720","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"},{"cve":"CVE-2025-69720","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ncurses","version":"6.5+20250216-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69720","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-ncurses-bin-a6728d83d34dc83a","name":"ncurses-bin","version":"6.5+20250216-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-MIT-X11 AND X11"],"cpes":["cpe:2.3:a:ncurses-bin:ncurses-bin:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses-bin:ncurses_bin:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_bin:ncurses-bin:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_bin:ncurses_bin:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses-bin:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses_bin:6.5\\+20250216-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/ncurses-bin@6.5%2B20250216-2?arch=arm64&distro=debian-13&upstream=ncurses","upstreams":[{"name":"ncurses"}]}},{"vulnerability":{"id":"CVE-2025-69720","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69720","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69720","epss":0.00008,"percentile":0.00814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69720","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"},{"cve":"CVE-2025-69720","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.006120000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69720","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69720","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/Cao-Wuhui/CVE-2025-69720","https://invisible-island.net/archives/ncurses/6.5/","https://invisible-island.net/ncurses/","https://marc.info/?l=ncurses-bug&m=176539968328570&w=2","https://marc.info/?l=ncurses-bug&m=176540731801330&w=2","https://marc.info/?l=ncurses-bug&m=176545557728083&w=2"],"description":"The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":1.9,"impactScore":5.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69720","epss":0.00008,"percentile":0.00814,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69720","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"},{"cve":"CVE-2025-69720","cwe":"CWE-120","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ncurses","version":"6.5+20250216-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69720","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-ncurses-term-7583d06e0c71039c","name":"ncurses-term","version":"6.5+20250216-2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-MIT-X11 AND X11"],"cpes":["cpe:2.3:a:ncurses-term:ncurses-term:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses-term:ncurses_term:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_term:ncurses-term:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses_term:ncurses_term:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses-term:6.5\\+20250216-2:*:*:*:*:*:*:*","cpe:2.3:a:ncurses:ncurses_term:6.5\\+20250216-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/ncurses-term@6.5%2B20250216-2?arch=all&distro=debian-13&upstream=ncurses","upstreams":[{"name":"ncurses"}]}},{"vulnerability":{"id":"CVE-2001-1534","dataSource":"https://security-tracker.debian.org/tracker/CVE-2001-1534","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.","cvss":[],"epss":[{"cve":"CVE-2001-1534","epss":0.00122,"percentile":0.30929,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2001-1534","cwe":"CWE-384","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0060999999999999995},"relatedVulnerabilities":[{"id":"CVE-2001-1534","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2001-1534","namespace":"nvd:cpe","severity":"Low","urls":["http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00084.html","http://www.iss.net/security_center/static/7494.php","http://www.securityfocus.com/bid/3521"],"description":"mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2001-1534","epss":0.00122,"percentile":0.30929,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2001-1534","cwe":"CWE-384","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2001-1534","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-e442cca4d5089982","name":"apache2","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2:apache2:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2001-1534","dataSource":"https://security-tracker.debian.org/tracker/CVE-2001-1534","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.","cvss":[],"epss":[{"cve":"CVE-2001-1534","epss":0.00122,"percentile":0.30929,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2001-1534","cwe":"CWE-384","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0060999999999999995},"relatedVulnerabilities":[{"id":"CVE-2001-1534","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2001-1534","namespace":"nvd:cpe","severity":"Low","urls":["http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00084.html","http://www.iss.net/security_center/static/7494.php","http://www.securityfocus.com/bid/3521"],"description":"mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2001-1534","epss":0.00122,"percentile":0.30929,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2001-1534","cwe":"CWE-384","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2001-1534","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-bin-1079264b7c765d23","name":"apache2-bin","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-bin@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2001-1534","dataSource":"https://security-tracker.debian.org/tracker/CVE-2001-1534","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.","cvss":[],"epss":[{"cve":"CVE-2001-1534","epss":0.00122,"percentile":0.30929,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2001-1534","cwe":"CWE-384","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0060999999999999995},"relatedVulnerabilities":[{"id":"CVE-2001-1534","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2001-1534","namespace":"nvd:cpe","severity":"Low","urls":["http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00084.html","http://www.iss.net/security_center/static/7494.php","http://www.securityfocus.com/bid/3521"],"description":"mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2001-1534","epss":0.00122,"percentile":0.30929,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2001-1534","cwe":"CWE-384","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2001-1534","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-data-a25605bbf0c04fae","name":"apache2-data","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-data@2.4.66-1~deb13u2?arch=all&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2001-1534","dataSource":"https://security-tracker.debian.org/tracker/CVE-2001-1534","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.","cvss":[],"epss":[{"cve":"CVE-2001-1534","epss":0.00122,"percentile":0.30929,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2001-1534","cwe":"CWE-384","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0060999999999999995},"relatedVulnerabilities":[{"id":"CVE-2001-1534","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2001-1534","namespace":"nvd:cpe","severity":"Low","urls":["http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00084.html","http://www.iss.net/security_center/static/7494.php","http://www.securityfocus.com/bid/3521"],"description":"mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2001-1534","epss":0.00122,"percentile":0.30929,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2001-1534","cwe":"CWE-384","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2001-1534","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-utils-6b7395e8b8084cf1","name":"apache2-utils","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-utils@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2025-1352","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1352","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1352","epss":0.00121,"percentile":0.30728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1352","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00605},"relatedVulnerabilities":[{"id":"CVE-2025-1352","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1352","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15923","https://sourceware.org/bugzilla/show_bug.cgi?id=32650","https://sourceware.org/bugzilla/show_bug.cgi?id=32650#c2","https://vuldb.com/?ctiid.295960","https://vuldb.com/?id.295960","https://vuldb.com/?submit.495965","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":1.7,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1352","epss":0.00121,"percentile":0.30728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1352","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1352","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libdw1t64-c1ee80f31f7dbed2","name":"libdw1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libdw1t64:libdw1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libdw1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2025-1352","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1352","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1352","epss":0.00121,"percentile":0.30728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1352","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00605},"relatedVulnerabilities":[{"id":"CVE-2025-1352","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1352","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15923","https://sourceware.org/bugzilla/show_bug.cgi?id=32650","https://sourceware.org/bugzilla/show_bug.cgi?id=32650#c2","https://vuldb.com/?ctiid.295960","https://vuldb.com/?id.295960","https://vuldb.com/?submit.495965","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":1.7,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1352","epss":0.00121,"percentile":0.30728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1352","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1352","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libelf1t64-0cd60a52cc5d00d2","name":"libelf1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libelf1t64:libelf1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libelf1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2025-1178","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1178","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.005999999999999999},"relatedVulnerabilities":[{"id":"CVE-2025-1178","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1178","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15914","https://sourceware.org/bugzilla/show_bug.cgi?id=32638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75086e9de1707281172cc77f178e7949a4414ed0","https://vuldb.com/?ctiid.295081","https://vuldb.com/?id.295081","https://vuldb.com/?submit.495369","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0008/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.6,"exploitabilityScore":2.3,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1178","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1178","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1178","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.005999999999999999},"relatedVulnerabilities":[{"id":"CVE-2025-1178","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1178","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15914","https://sourceware.org/bugzilla/show_bug.cgi?id=32638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75086e9de1707281172cc77f178e7949a4414ed0","https://vuldb.com/?ctiid.295081","https://vuldb.com/?id.295081","https://vuldb.com/?submit.495369","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0008/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.6,"exploitabilityScore":2.3,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1178","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1178","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1178","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.005999999999999999},"relatedVulnerabilities":[{"id":"CVE-2025-1178","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1178","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15914","https://sourceware.org/bugzilla/show_bug.cgi?id=32638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75086e9de1707281172cc77f178e7949a4414ed0","https://vuldb.com/?ctiid.295081","https://vuldb.com/?id.295081","https://vuldb.com/?submit.495369","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0008/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.6,"exploitabilityScore":2.3,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1178","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1178","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1178","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.005999999999999999},"relatedVulnerabilities":[{"id":"CVE-2025-1178","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1178","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15914","https://sourceware.org/bugzilla/show_bug.cgi?id=32638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75086e9de1707281172cc77f178e7949a4414ed0","https://vuldb.com/?ctiid.295081","https://vuldb.com/?id.295081","https://vuldb.com/?submit.495369","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0008/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.6,"exploitabilityScore":2.3,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1178","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1178","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1178","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.005999999999999999},"relatedVulnerabilities":[{"id":"CVE-2025-1178","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1178","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15914","https://sourceware.org/bugzilla/show_bug.cgi?id=32638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75086e9de1707281172cc77f178e7949a4414ed0","https://vuldb.com/?ctiid.295081","https://vuldb.com/?id.295081","https://vuldb.com/?submit.495369","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0008/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.6,"exploitabilityScore":2.3,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1178","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1178","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1178","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.005999999999999999},"relatedVulnerabilities":[{"id":"CVE-2025-1178","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1178","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15914","https://sourceware.org/bugzilla/show_bug.cgi?id=32638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75086e9de1707281172cc77f178e7949a4414ed0","https://vuldb.com/?ctiid.295081","https://vuldb.com/?id.295081","https://vuldb.com/?submit.495369","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0008/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.6,"exploitabilityScore":2.3,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1178","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1178","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1178","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.005999999999999999},"relatedVulnerabilities":[{"id":"CVE-2025-1178","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1178","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15914","https://sourceware.org/bugzilla/show_bug.cgi?id=32638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75086e9de1707281172cc77f178e7949a4414ed0","https://vuldb.com/?ctiid.295081","https://vuldb.com/?id.295081","https://vuldb.com/?submit.495369","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0008/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.6,"exploitabilityScore":2.3,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1178","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1178","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1178","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.005999999999999999},"relatedVulnerabilities":[{"id":"CVE-2025-1178","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1178","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15914","https://sourceware.org/bugzilla/show_bug.cgi?id=32638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75086e9de1707281172cc77f178e7949a4414ed0","https://vuldb.com/?ctiid.295081","https://vuldb.com/?id.295081","https://vuldb.com/?submit.495369","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250411-0008/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.6,"exploitabilityScore":2.3,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1178","epss":0.0012,"percentile":0.30563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1178","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1178","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-13034","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13034","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer.  This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13034","epss":0.00011,"percentile":0.0129,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13034","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005995},"relatedVulnerabilities":[{"id":"CVE-2025-13034","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13034","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-13034.html","https://curl.se/docs/CVE-2025-13034.json"],"description":"When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`\nwith the curl tool,curl should check the public key of the server certificate\nto verify the peer.\n\nThis check was skipped in a certain condition that would then make curl allow\nthe connection without performing the proper check, thus not noticing a\npossible impostor. To skip this check, the connection had to be done with QUIC\nwith ngtcp2 built to use GnuTLS and the user had to explicitly disable the\nstandard certificate verification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13034","epss":0.00011,"percentile":0.0129,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13034","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13034","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-13034","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13034","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer.  This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13034","epss":0.00011,"percentile":0.0129,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13034","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005995},"relatedVulnerabilities":[{"id":"CVE-2025-13034","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13034","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-13034.html","https://curl.se/docs/CVE-2025-13034.json"],"description":"When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`\nwith the curl tool,curl should check the public key of the server certificate\nto verify the peer.\n\nThis check was skipped in a certain condition that would then make curl allow\nthe connection without performing the proper check, thus not noticing a\npossible impostor. To skip this check, the connection had to be done with QUIC\nwith ngtcp2 built to use GnuTLS and the user had to explicitly disable the\nstandard certificate verification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13034","epss":0.00011,"percentile":0.0129,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13034","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13034","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2025-13034","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13034","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer.  This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13034","epss":0.00011,"percentile":0.0129,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13034","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005995},"relatedVulnerabilities":[{"id":"CVE-2025-13034","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13034","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-13034.html","https://curl.se/docs/CVE-2025-13034.json"],"description":"When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`\nwith the curl tool,curl should check the public key of the server certificate\nto verify the peer.\n\nThis check was skipped in a certain condition that would then make curl allow\nthe connection without performing the proper check, thus not noticing a\npossible impostor. To skip this check, the connection had to be done with QUIC\nwith ngtcp2 built to use GnuTLS and the user had to explicitly disable the\nstandard certificate verification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13034","epss":0.00011,"percentile":0.0129,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13034","cwe":"CWE-295","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13034","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2025-1181","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1181","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00585},"relatedVulnerabilities":[{"id":"CVE-2025-1181","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1181","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15918","https://sourceware.org/bugzilla/show_bug.cgi?id=32643","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24","https://vuldb.com/?ctiid.295084","https://vuldb.com/?id.295084","https://vuldb.com/?submit.495402","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250425-0007/"],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1181","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1181","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1181","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00585},"relatedVulnerabilities":[{"id":"CVE-2025-1181","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1181","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15918","https://sourceware.org/bugzilla/show_bug.cgi?id=32643","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24","https://vuldb.com/?ctiid.295084","https://vuldb.com/?id.295084","https://vuldb.com/?submit.495402","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250425-0007/"],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1181","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1181","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1181","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00585},"relatedVulnerabilities":[{"id":"CVE-2025-1181","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1181","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15918","https://sourceware.org/bugzilla/show_bug.cgi?id=32643","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24","https://vuldb.com/?ctiid.295084","https://vuldb.com/?id.295084","https://vuldb.com/?submit.495402","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250425-0007/"],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1181","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1181","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1181","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00585},"relatedVulnerabilities":[{"id":"CVE-2025-1181","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1181","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15918","https://sourceware.org/bugzilla/show_bug.cgi?id=32643","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24","https://vuldb.com/?ctiid.295084","https://vuldb.com/?id.295084","https://vuldb.com/?submit.495402","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250425-0007/"],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1181","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1181","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1181","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00585},"relatedVulnerabilities":[{"id":"CVE-2025-1181","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1181","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15918","https://sourceware.org/bugzilla/show_bug.cgi?id=32643","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24","https://vuldb.com/?ctiid.295084","https://vuldb.com/?id.295084","https://vuldb.com/?submit.495402","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250425-0007/"],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1181","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1181","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1181","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00585},"relatedVulnerabilities":[{"id":"CVE-2025-1181","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1181","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15918","https://sourceware.org/bugzilla/show_bug.cgi?id=32643","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24","https://vuldb.com/?ctiid.295084","https://vuldb.com/?id.295084","https://vuldb.com/?submit.495402","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250425-0007/"],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1181","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1181","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1181","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00585},"relatedVulnerabilities":[{"id":"CVE-2025-1181","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1181","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15918","https://sourceware.org/bugzilla/show_bug.cgi?id=32643","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24","https://vuldb.com/?ctiid.295084","https://vuldb.com/?id.295084","https://vuldb.com/?submit.495402","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250425-0007/"],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1181","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1181","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1181","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00585},"relatedVulnerabilities":[{"id":"CVE-2025-1181","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1181","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15918","https://sourceware.org/bugzilla/show_bug.cgi?id=32643","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24","https://vuldb.com/?ctiid.295084","https://vuldb.com/?id.295084","https://vuldb.com/?submit.495402","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250425-0007/"],"description":"A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1181","epss":0.00117,"percentile":0.3016,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1181","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1181","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-4878","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4878","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7,"exploitabilityScore":1.1,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4878","epss":0.00008,"percentile":0.00835,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4878","cwe":"CWE-367","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0058},"relatedVulnerabilities":[{"id":"CVE-2026-4878","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4878","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/errata/RHSA-2026:7473","https://access.redhat.com/security/cve/CVE-2026-4878","https://bugzilla.redhat.com/show_bug.cgi?id=2447554","https://bugzilla.redhat.com/show_bug.cgi?id=2451615","http://www.openwall.com/lists/oss-security/2026/04/07/14","http://www.openwall.com/lists/oss-security/2026/04/07/4","http://www.openwall.com/lists/oss-security/2026/04/08/9","http://www.openwall.com/lists/oss-security/2026/04/09/5","http://www.openwall.com/lists/oss-security/2026/04/09/6"],"description":"A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7,"exploitabilityScore":1.1,"impactScore":5.9},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4878","epss":0.00008,"percentile":0.00835,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4878","cwe":"CWE-367","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libcap2","version":"1:2.75-10+b8"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4878","versionConstraint":"none (unknown)"}},{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libcap2","version":"1:2.75-10"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4878","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcap2-b54f833f405ba788","name":"libcap2","version":"1:2.75-10+b8","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:libcap2:libcap2:1\\:2.75-10\\+b8:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcap2@1%3A2.75-10%2Bb8?arch=arm64&distro=debian-13&upstream=libcap2%401%3A2.75-10","upstreams":[{"name":"libcap2","version":"1:2.75-10"}]}},{"vulnerability":{"id":"CVE-2026-4878","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4878","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7,"exploitabilityScore":1.1,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4878","epss":0.00008,"percentile":0.00835,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4878","cwe":"CWE-367","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0058},"relatedVulnerabilities":[{"id":"CVE-2026-4878","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4878","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/errata/RHSA-2026:7473","https://access.redhat.com/security/cve/CVE-2026-4878","https://bugzilla.redhat.com/show_bug.cgi?id=2447554","https://bugzilla.redhat.com/show_bug.cgi?id=2451615","http://www.openwall.com/lists/oss-security/2026/04/07/14","http://www.openwall.com/lists/oss-security/2026/04/07/4","http://www.openwall.com/lists/oss-security/2026/04/08/9","http://www.openwall.com/lists/oss-security/2026/04/09/5","http://www.openwall.com/lists/oss-security/2026/04/09/6"],"description":"A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7,"exploitabilityScore":1.1,"impactScore":5.9},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4878","epss":0.00008,"percentile":0.00835,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4878","cwe":"CWE-367","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libcap2","version":"1:2.75-10"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4878","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcap2-bin-dd100b581e2d4538","name":"libcap2-bin","version":"1:2.75-10+b8","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:libcap2-bin:libcap2-bin:1\\:2.75-10\\+b8:*:*:*:*:*:*:*","cpe:2.3:a:libcap2-bin:libcap2_bin:1\\:2.75-10\\+b8:*:*:*:*:*:*:*","cpe:2.3:a:libcap2_bin:libcap2-bin:1\\:2.75-10\\+b8:*:*:*:*:*:*:*","cpe:2.3:a:libcap2_bin:libcap2_bin:1\\:2.75-10\\+b8:*:*:*:*:*:*:*","cpe:2.3:a:libcap2:libcap2-bin:1\\:2.75-10\\+b8:*:*:*:*:*:*:*","cpe:2.3:a:libcap2:libcap2_bin:1\\:2.75-10\\+b8:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcap2-bin@1%3A2.75-10%2Bb8?arch=arm64&distro=debian-13&upstream=libcap2%401%3A2.75-10","upstreams":[{"name":"libcap2","version":"1:2.75-10"}]}},{"vulnerability":{"id":"CVE-2026-4878","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4878","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7,"exploitabilityScore":1.1,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4878","epss":0.00008,"percentile":0.00835,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4878","cwe":"CWE-367","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0058},"relatedVulnerabilities":[{"id":"CVE-2026-4878","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4878","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/errata/RHSA-2026:7473","https://access.redhat.com/security/cve/CVE-2026-4878","https://bugzilla.redhat.com/show_bug.cgi?id=2447554","https://bugzilla.redhat.com/show_bug.cgi?id=2451615","http://www.openwall.com/lists/oss-security/2026/04/07/14","http://www.openwall.com/lists/oss-security/2026/04/07/4","http://www.openwall.com/lists/oss-security/2026/04/08/9","http://www.openwall.com/lists/oss-security/2026/04/09/5","http://www.openwall.com/lists/oss-security/2026/04/09/6"],"description":"A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7,"exploitabilityScore":1.1,"impactScore":5.9},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4878","epss":0.00008,"percentile":0.00835,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4878","cwe":"CWE-367","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libcap2","version":"1:2.75-10"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4878","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpam-cap-bc860d7ba2f664dd","name":"libpam-cap","version":"1:2.75-10+b8","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:libpam-cap:libpam-cap:1\\:2.75-10\\+b8:*:*:*:*:*:*:*","cpe:2.3:a:libpam-cap:libpam_cap:1\\:2.75-10\\+b8:*:*:*:*:*:*:*","cpe:2.3:a:libpam_cap:libpam-cap:1\\:2.75-10\\+b8:*:*:*:*:*:*:*","cpe:2.3:a:libpam_cap:libpam_cap:1\\:2.75-10\\+b8:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam-cap:1\\:2.75-10\\+b8:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam_cap:1\\:2.75-10\\+b8:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpam-cap@1%3A2.75-10%2Bb8?arch=arm64&distro=debian-13&upstream=libcap2%401%3A2.75-10","upstreams":[{"name":"libcap2","version":"1:2.75-10"}]}},{"vulnerability":{"id":"CVE-2022-0987","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0987","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.","cvss":[],"epss":[{"cve":"CVE-2022-0987","epss":0.00113,"percentile":0.29491,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0987","cwe":"CWE-200","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00565},"relatedVulnerabilities":[{"id":"CVE-2022-0987","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0987","namespace":"nvd:cpe","severity":"Low","urls":["https://bugzilla.redhat.com/show_bug.cgi?id=2064315"],"description":"A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0987","epss":0.00113,"percentile":0.29491,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0987","cwe":"CWE-200","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"packagekit","version":"1.3.1-1+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0987","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpackagekit-glib2-18-af94a71de303aa5b","name":"libpackagekit-glib2-18","version":"1.3.1-1+deb13u1","type":"deb","locations":null,"language":"","licenses":["FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libpackagekit-glib2-18:libpackagekit-glib2-18:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpackagekit-glib2-18:libpackagekit_glib2_18:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpackagekit_glib2_18:libpackagekit-glib2-18:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpackagekit_glib2_18:libpackagekit_glib2_18:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpackagekit-glib2:libpackagekit-glib2-18:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpackagekit-glib2:libpackagekit_glib2_18:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpackagekit_glib2:libpackagekit-glib2-18:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpackagekit_glib2:libpackagekit_glib2_18:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpackagekit:libpackagekit-glib2-18:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpackagekit:libpackagekit_glib2_18:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpackagekit-glib2-18@1.3.1-1%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=packagekit","upstreams":[{"name":"packagekit"}]}},{"vulnerability":{"id":"CVE-2022-0987","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0987","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.","cvss":[],"epss":[{"cve":"CVE-2022-0987","epss":0.00113,"percentile":0.29491,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0987","cwe":"CWE-200","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00565},"relatedVulnerabilities":[{"id":"CVE-2022-0987","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0987","namespace":"nvd:cpe","severity":"Low","urls":["https://bugzilla.redhat.com/show_bug.cgi?id=2064315"],"description":"A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0987","epss":0.00113,"percentile":0.29491,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0987","cwe":"CWE-200","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"packagekit","version":"1.3.1-1+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0987","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-packagekit-87be387af087e7ff","name":"packagekit","version":"1.3.1-1+deb13u1","type":"deb","locations":null,"language":"","licenses":["FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:packagekit:packagekit:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/packagekit@1.3.1-1%2Bdeb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2022-0987","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0987","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.","cvss":[],"epss":[{"cve":"CVE-2022-0987","epss":0.00113,"percentile":0.29491,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0987","cwe":"CWE-200","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00565},"relatedVulnerabilities":[{"id":"CVE-2022-0987","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0987","namespace":"nvd:cpe","severity":"Low","urls":["https://bugzilla.redhat.com/show_bug.cgi?id=2064315"],"description":"A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0987","epss":0.00113,"percentile":0.29491,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0987","cwe":"CWE-200","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"packagekit","version":"1.3.1-1+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0987","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-packagekit-tools-e3088540c0e52051","name":"packagekit-tools","version":"1.3.1-1+deb13u1","type":"deb","locations":null,"language":"","licenses":["FSFAP AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:packagekit-tools:packagekit-tools:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:packagekit-tools:packagekit_tools:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:packagekit_tools:packagekit-tools:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:packagekit_tools:packagekit_tools:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:packagekit:packagekit-tools:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:packagekit:packagekit_tools:1.3.1-1\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/packagekit-tools@1.3.1-1%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=packagekit","upstreams":[{"name":"packagekit"}]}},{"vulnerability":{"id":"CVE-2017-14159","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-14159","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.","cvss":[],"epss":[{"cve":"CVE-2017-14159","epss":0.00111,"percentile":0.29205,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-14159","cwe":"CWE-665","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.005550000000000001},"relatedVulnerabilities":[{"id":"CVE-2017-14159","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-14159","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.openldap.org/its/index.cgi?findid=8703","https://www.oracle.com/security-alerts/cpuapr2022.html"],"description":"slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-14159","epss":0.00111,"percentile":0.29205,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-14159","cwe":"CWE-665","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openldap","version":"2.6.10+dfsg-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-14159","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libldap-common-0c527d3d89610a10","name":"libldap-common","version":"2.6.10+dfsg-1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-BSD-3-clause-California AND LicenseRef-BSD-3-clause-variant AND LicenseRef-BSD-4-clause-California AND Beerware AND LicenseRef-Expat AND LicenseRef-Expat-ISC AND LicenseRef-Expat-UNM AND LicenseRef-F5 AND LicenseRef-FSF-unlimited AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-JCG AND LicenseRef-MIT-XC AND LicenseRef-NeoSoft-permissive AND LicenseRef-OpenLDAP-2.8 AND LicenseRef-UMich AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libldap-common:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap-common:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap_common:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap_common:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libldap-common@2.6.10%2Bdfsg-1?arch=all&distro=debian-13&upstream=openldap","upstreams":[{"name":"openldap"}]}},{"vulnerability":{"id":"CVE-2017-14159","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-14159","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.","cvss":[],"epss":[{"cve":"CVE-2017-14159","epss":0.00111,"percentile":0.29205,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-14159","cwe":"CWE-665","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.005550000000000001},"relatedVulnerabilities":[{"id":"CVE-2017-14159","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-14159","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.openldap.org/its/index.cgi?findid=8703","https://www.oracle.com/security-alerts/cpuapr2022.html"],"description":"slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-14159","epss":0.00111,"percentile":0.29205,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-14159","cwe":"CWE-665","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openldap","version":"2.6.10+dfsg-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-14159","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libldap2-c8352a83e37f53d5","name":"libldap2","version":"2.6.10+dfsg-1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-BSD-3-clause-California AND LicenseRef-BSD-3-clause-variant AND LicenseRef-BSD-4-clause-California AND Beerware AND LicenseRef-Expat AND LicenseRef-Expat-ISC AND LicenseRef-Expat-UNM AND LicenseRef-F5 AND LicenseRef-FSF-unlimited AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-JCG AND LicenseRef-MIT-XC AND LicenseRef-NeoSoft-permissive AND LicenseRef-OpenLDAP-2.8 AND LicenseRef-UMich AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libldap2:libldap2:2.6.10\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libldap2@2.6.10%2Bdfsg-1?arch=arm64&distro=debian-13&upstream=openldap","upstreams":[{"name":"openldap"}]}},{"vulnerability":{"id":"CVE-2008-4996","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-4996","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"init in initramfs-tools 0.92f allows local users to overwrite arbitrary files via a symlink attack on the /tmp/initramfs.debug temporary file.  NOTE: the vendor disputes this vulnerability, stating that \"init is [used in] a single-user context; there's no possibility that this is exploitable.","cvss":[],"epss":[{"cve":"CVE-2008-4996","epss":0.00108,"percentile":0.28631,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0054},"relatedVulnerabilities":[{"id":"CVE-2008-4996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-4996","namespace":"nvd:cpe","severity":"Medium","urls":["http://bugs.debian.org/496386","http://dev.gentoo.org/~rbu/security/debiantemp/initramfs-tools","http://www.openwall.com/lists/oss-security/2008/10/30/2","https://bugs.gentoo.org/show_bug.cgi?id=235770"],"description":"init in initramfs-tools 0.92f allows local users to overwrite arbitrary files via a symlink attack on the /tmp/initramfs.debug temporary file.  NOTE: the vendor disputes this vulnerability, stating that \"init is [used in] a single-user context; there's no possibility that this is exploitable.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:C/I:C/A:C","metrics":{"baseScore":6.9,"exploitabilityScore":3.4,"impactScore":10.1},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-4996","epss":0.00108,"percentile":0.28631,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"initramfs-tools","version":"0.148.3+rpt2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-4996","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-initramfs-tools-2d7e08b0192c2edb","name":"initramfs-tools","version":"0.148.3+rpt2","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:initramfs-tools:initramfs-tools:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs-tools:initramfs_tools:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs_tools:initramfs-tools:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs_tools:initramfs_tools:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs:initramfs-tools:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs:initramfs_tools:0.148.3\\+rpt2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/initramfs-tools@0.148.3%2Brpt2?arch=all&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2008-4996","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-4996","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"init in initramfs-tools 0.92f allows local users to overwrite arbitrary files via a symlink attack on the /tmp/initramfs.debug temporary file.  NOTE: the vendor disputes this vulnerability, stating that \"init is [used in] a single-user context; there's no possibility that this is exploitable.","cvss":[],"epss":[{"cve":"CVE-2008-4996","epss":0.00108,"percentile":0.28631,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0054},"relatedVulnerabilities":[{"id":"CVE-2008-4996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-4996","namespace":"nvd:cpe","severity":"Medium","urls":["http://bugs.debian.org/496386","http://dev.gentoo.org/~rbu/security/debiantemp/initramfs-tools","http://www.openwall.com/lists/oss-security/2008/10/30/2","https://bugs.gentoo.org/show_bug.cgi?id=235770"],"description":"init in initramfs-tools 0.92f allows local users to overwrite arbitrary files via a symlink attack on the /tmp/initramfs.debug temporary file.  NOTE: the vendor disputes this vulnerability, stating that \"init is [used in] a single-user context; there's no possibility that this is exploitable.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:C/I:C/A:C","metrics":{"baseScore":6.9,"exploitabilityScore":3.4,"impactScore":10.1},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-4996","epss":0.00108,"percentile":0.28631,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"initramfs-tools","version":"0.148.3+rpt2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-4996","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-initramfs-tools-bin-7ffcf80360da33e9","name":"initramfs-tools-bin","version":"0.148.3+rpt2","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:initramfs-tools-bin:initramfs-tools-bin:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs-tools-bin:initramfs_tools_bin:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs_tools_bin:initramfs-tools-bin:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs_tools_bin:initramfs_tools_bin:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs-tools:initramfs-tools-bin:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs-tools:initramfs_tools_bin:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs_tools:initramfs-tools-bin:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs_tools:initramfs_tools_bin:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs:initramfs-tools-bin:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs:initramfs_tools_bin:0.148.3\\+rpt2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/initramfs-tools-bin@0.148.3%2Brpt2?arch=arm64&distro=debian-13&upstream=initramfs-tools","upstreams":[{"name":"initramfs-tools"}]}},{"vulnerability":{"id":"CVE-2008-4996","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-4996","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"init in initramfs-tools 0.92f allows local users to overwrite arbitrary files via a symlink attack on the /tmp/initramfs.debug temporary file.  NOTE: the vendor disputes this vulnerability, stating that \"init is [used in] a single-user context; there's no possibility that this is exploitable.","cvss":[],"epss":[{"cve":"CVE-2008-4996","epss":0.00108,"percentile":0.28631,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0054},"relatedVulnerabilities":[{"id":"CVE-2008-4996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-4996","namespace":"nvd:cpe","severity":"Medium","urls":["http://bugs.debian.org/496386","http://dev.gentoo.org/~rbu/security/debiantemp/initramfs-tools","http://www.openwall.com/lists/oss-security/2008/10/30/2","https://bugs.gentoo.org/show_bug.cgi?id=235770"],"description":"init in initramfs-tools 0.92f allows local users to overwrite arbitrary files via a symlink attack on the /tmp/initramfs.debug temporary file.  NOTE: the vendor disputes this vulnerability, stating that \"init is [used in] a single-user context; there's no possibility that this is exploitable.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:C/I:C/A:C","metrics":{"baseScore":6.9,"exploitabilityScore":3.4,"impactScore":10.1},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-4996","epss":0.00108,"percentile":0.28631,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2008-4996","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"initramfs-tools","version":"0.148.3+rpt2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-4996","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-initramfs-tools-core-4b0445abfea9c53a","name":"initramfs-tools-core","version":"0.148.3+rpt2","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:initramfs-tools-core:initramfs-tools-core:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs-tools-core:initramfs_tools_core:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs_tools_core:initramfs-tools-core:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs_tools_core:initramfs_tools_core:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs-tools:initramfs-tools-core:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs-tools:initramfs_tools_core:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs_tools:initramfs-tools-core:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs_tools:initramfs_tools_core:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs:initramfs-tools-core:0.148.3\\+rpt2:*:*:*:*:*:*:*","cpe:2.3:a:initramfs:initramfs_tools_core:0.148.3\\+rpt2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/initramfs-tools-core@0.148.3%2Brpt2?arch=all&distro=debian-13&upstream=initramfs-tools","upstreams":[{"name":"initramfs-tools"}]}},{"vulnerability":{"id":"CVE-2026-24882","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24882","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0053549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-24882","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24882","namespace":"nvd:cpe","severity":"High","urls":["https://dev.gnupg.org/T8045","https://www.openwall.com/lists/oss-security/2026/01/27/8"],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.4,"exploitabilityScore":2.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24882","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-dirmngr-1503f6714851f186","name":"dirmngr","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:dirmngr:dirmngr:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/dirmngr@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2026-24882","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24882","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0053549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-24882","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24882","namespace":"nvd:cpe","severity":"High","urls":["https://dev.gnupg.org/T8045","https://www.openwall.com/lists/oss-security/2026/01/27/8"],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.4,"exploitabilityScore":2.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24882","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gnupg-e708db6544496117","name":"gnupg","version":"2.4.7-21+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gnupg:gnupg:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gnupg@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2","upstreams":[{"name":"gnupg2"}]}},{"vulnerability":{"id":"CVE-2026-24882","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24882","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0053549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-24882","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24882","namespace":"nvd:cpe","severity":"High","urls":["https://dev.gnupg.org/T8045","https://www.openwall.com/lists/oss-security/2026/01/27/8"],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.4,"exploitabilityScore":2.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24882","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gnupg-l10n-aecb683b9f0b939d","name":"gnupg-l10n","version":"2.4.7-21+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gnupg-l10n:gnupg-l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg-l10n:gnupg_l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_l10n:gnupg-l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_l10n:gnupg_l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg-l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg_l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gnupg-l10n@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2","upstreams":[{"name":"gnupg2"}]}},{"vulnerability":{"id":"CVE-2026-24882","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24882","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0053549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-24882","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24882","namespace":"nvd:cpe","severity":"High","urls":["https://dev.gnupg.org/T8045","https://www.openwall.com/lists/oss-security/2026/01/27/8"],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.4,"exploitabilityScore":2.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24882","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gnupg-utils-41247e5942d68018","name":"gnupg-utils","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gnupg-utils:gnupg-utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg-utils:gnupg_utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_utils:gnupg-utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_utils:gnupg_utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg-utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg_utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gnupg-utils@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2026-24882","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24882","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0053549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-24882","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24882","namespace":"nvd:cpe","severity":"High","urls":["https://dev.gnupg.org/T8045","https://www.openwall.com/lists/oss-security/2026/01/27/8"],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.4,"exploitabilityScore":2.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24882","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpg-cd637b4dec7be710","name":"gpg","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpg:gpg:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpg@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2026-24882","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24882","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0053549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-24882","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24882","namespace":"nvd:cpe","severity":"High","urls":["https://dev.gnupg.org/T8045","https://www.openwall.com/lists/oss-security/2026/01/27/8"],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.4,"exploitabilityScore":2.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24882","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpg-agent-4576e24fc7cc8670","name":"gpg-agent","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpg-agent:gpg-agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-agent:gpg_agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_agent:gpg-agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_agent:gpg_agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg-agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg_agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpg-agent@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2026-24882","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24882","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0053549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-24882","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24882","namespace":"nvd:cpe","severity":"High","urls":["https://dev.gnupg.org/T8045","https://www.openwall.com/lists/oss-security/2026/01/27/8"],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.4,"exploitabilityScore":2.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24882","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpg-wks-client-6b2180724711c171","name":"gpg-wks-client","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpg-wks-client:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-wks-client:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks_client:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks_client:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-wks:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-wks:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpg-wks-client@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2026-24882","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24882","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0053549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-24882","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24882","namespace":"nvd:cpe","severity":"High","urls":["https://dev.gnupg.org/T8045","https://www.openwall.com/lists/oss-security/2026/01/27/8"],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.4,"exploitabilityScore":2.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24882","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpgconf-3b5f9b632f61a80b","name":"gpgconf","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpgconf:gpgconf:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpgconf@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2026-24882","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24882","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0053549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-24882","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24882","namespace":"nvd:cpe","severity":"High","urls":["https://dev.gnupg.org/T8045","https://www.openwall.com/lists/oss-security/2026/01/27/8"],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.4,"exploitabilityScore":2.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24882","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpgsm-fc93e5f8d49a08ff","name":"gpgsm","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpgsm:gpgsm:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpgsm@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2026-24882","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24882","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0053549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-24882","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24882","namespace":"nvd:cpe","severity":"High","urls":["https://dev.gnupg.org/T8045","https://www.openwall.com/lists/oss-security/2026/01/27/8"],"description":"In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.4,"exploitabilityScore":2.6,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24882","epss":0.00007,"percentile":0.00627,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24882","cwe":"CWE-121","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24882","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpgv-747a9fedcf815a7f","name":"gpgv","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpgv:gpgv:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpgv@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2026-25210","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-25210","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25210","epss":0.00007,"percentile":0.00516,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25210","cwe":"CWE-190","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0053549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-25210","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-25210","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/libexpat/libexpat/pull/1075","https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7"],"description":"In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L","metrics":{"baseScore":6.9,"exploitabilityScore":1.5,"impactScore":5.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25210","epss":0.00007,"percentile":0.00516,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25210","cwe":"CWE-190","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"expat","version":"2.7.1-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-25210","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libexpat1-9fbfc999aa8bff3d","name":"libexpat1","version":"2.7.1-2","type":"deb","locations":null,"language":"","licenses":["MIT"],"cpes":["cpe:2.3:a:libexpat1:libexpat1:2.7.1-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libexpat1@2.7.1-2?arch=arm64&distro=debian-13&upstream=expat","upstreams":[{"name":"expat"}]}},{"vulnerability":{"id":"CVE-2017-11697","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-11697","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file.","cvss":[],"epss":[{"cve":"CVE-2017-11697","epss":0.00106,"percentile":0.28354,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-11697","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0053},"relatedVulnerabilities":[{"id":"CVE-2017-11697","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-11697","namespace":"nvd:cpe","severity":"High","urls":["http://packetstormsecurity.com/files/143735/NSS-Buffer-Overflows-Floating-Point-Exception.html","http://seclists.org/fulldisclosure/2017/Aug/17","http://www.geeknik.net/9brdqk6xu","http://www.securityfocus.com/bid/100345","http://www.securitytracker.com/id/1039153","https://security.gentoo.org/glsa/202003-37"],"description":"The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":4.6,"exploitabilityScore":4,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-11697","epss":0.00106,"percentile":0.28354,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-11697","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"nss","version":"2:3.110-1+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-11697","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss3-2c7a45e72cefc3cc","name":"libnss3","version":"2:3.110-1+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3 AND MPL-2.0 AND Zlib AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss3:libnss3:2\\:3.110-1\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss3@2%3A3.110-1%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=nss","upstreams":[{"name":"nss"}]}},{"vulnerability":{"id":"CVE-2025-1182","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1182","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0052},"relatedVulnerabilities":[{"id":"CVE-2025-1182","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1182","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15919","https://sourceware.org/bugzilla/show_bug.cgi?id=32644","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b425859021d17adf62f06fb904797cf8642986ad","https://vuldb.com/?ctiid.295086","https://vuldb.com/?id.295086","https://vuldb.com/?submit.495407","https://www.gnu.org/"],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1182","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1182","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1182","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0052},"relatedVulnerabilities":[{"id":"CVE-2025-1182","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1182","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15919","https://sourceware.org/bugzilla/show_bug.cgi?id=32644","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b425859021d17adf62f06fb904797cf8642986ad","https://vuldb.com/?ctiid.295086","https://vuldb.com/?id.295086","https://vuldb.com/?submit.495407","https://www.gnu.org/"],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1182","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1182","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1182","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0052},"relatedVulnerabilities":[{"id":"CVE-2025-1182","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1182","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15919","https://sourceware.org/bugzilla/show_bug.cgi?id=32644","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b425859021d17adf62f06fb904797cf8642986ad","https://vuldb.com/?ctiid.295086","https://vuldb.com/?id.295086","https://vuldb.com/?submit.495407","https://www.gnu.org/"],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1182","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1182","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1182","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0052},"relatedVulnerabilities":[{"id":"CVE-2025-1182","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1182","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15919","https://sourceware.org/bugzilla/show_bug.cgi?id=32644","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b425859021d17adf62f06fb904797cf8642986ad","https://vuldb.com/?ctiid.295086","https://vuldb.com/?id.295086","https://vuldb.com/?submit.495407","https://www.gnu.org/"],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1182","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1182","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1182","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0052},"relatedVulnerabilities":[{"id":"CVE-2025-1182","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1182","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15919","https://sourceware.org/bugzilla/show_bug.cgi?id=32644","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b425859021d17adf62f06fb904797cf8642986ad","https://vuldb.com/?ctiid.295086","https://vuldb.com/?id.295086","https://vuldb.com/?submit.495407","https://www.gnu.org/"],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1182","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1182","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1182","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0052},"relatedVulnerabilities":[{"id":"CVE-2025-1182","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1182","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15919","https://sourceware.org/bugzilla/show_bug.cgi?id=32644","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b425859021d17adf62f06fb904797cf8642986ad","https://vuldb.com/?ctiid.295086","https://vuldb.com/?id.295086","https://vuldb.com/?submit.495407","https://www.gnu.org/"],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1182","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1182","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1182","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0052},"relatedVulnerabilities":[{"id":"CVE-2025-1182","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1182","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15919","https://sourceware.org/bugzilla/show_bug.cgi?id=32644","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b425859021d17adf62f06fb904797cf8642986ad","https://vuldb.com/?ctiid.295086","https://vuldb.com/?id.295086","https://vuldb.com/?submit.495407","https://www.gnu.org/"],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1182","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1182","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1182","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0052},"relatedVulnerabilities":[{"id":"CVE-2025-1182","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1182","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15919","https://sourceware.org/bugzilla/show_bug.cgi?id=32644","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b425859021d17adf62f06fb904797cf8642986ad","https://vuldb.com/?ctiid.295086","https://vuldb.com/?id.295086","https://vuldb.com/?submit.495407","https://www.gnu.org/"],"description":"A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","metrics":{"baseScore":5.1,"exploitabilityScore":5,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1182","epss":0.00104,"percentile":0.27946,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1182","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1182","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-40226","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40226","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005130000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-40226","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40226","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40226","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss-systemd-ad7265eadb35cc00","name":"libnss-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss-systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss-systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40226","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40226","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005130000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-40226","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40226","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40226","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpam-systemd-022f917bdf524182","name":"libpam-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libpam-systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam-systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpam-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40226","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40226","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005130000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-40226","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40226","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40226","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd-shared-b1ad66cbf61a8db5","name":"libsystemd-shared","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd-shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd-shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd-shared@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40226","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40226","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005130000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-40226","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40226","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40226","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd0-2ebc906354bc0592","name":"libsystemd0","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd0:libsystemd0:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40226","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40226","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005130000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-40226","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40226","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40226","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libudev1-c6f7af268569b00a","name":"libudev1","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libudev1:libudev1:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40226","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40226","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005130000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-40226","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40226","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40226","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-f903f3f27e740730","name":"systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd:systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-40226","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40226","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005130000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-40226","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40226","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40226","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-cryptsetup-a05233fe9c9714fd","name":"systemd-cryptsetup","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-cryptsetup@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40226","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40226","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005130000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-40226","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40226","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40226","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-sysv-10669ba5f85c6427","name":"systemd-sysv","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-sysv@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40226","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40226","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005130000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-40226","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40226","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40226","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-timesyncd-6b431489698ee740","name":"systemd-timesyncd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-timesyncd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40226","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40226","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.005130000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-40226","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40226","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"],"description":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.4,"exploitabilityScore":0.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40226","epss":0.00009,"percentile":0.00988,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40226","cwe":"CWE-348","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40226","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-udev-b6036c3d10c9d62b","name":"udev","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:udev:udev:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/udev@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-27171","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27171","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27171","epss":0.00009,"percentile":0.00839,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27171","cwe":"CWE-1284","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004725},"relatedVulnerabilities":[{"id":"CVE-2026-27171","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27171","namespace":"nvd:cpe","severity":"Medium","urls":["https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/","https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf","https://github.com/madler/zlib/issues/904","https://github.com/madler/zlib/releases/tag/v1.3.2","https://ostif.org/zlib-audit-complete/"],"description":"zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27171","epss":0.00009,"percentile":0.00839,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-27171","cwe":"CWE-1284","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"zlib","version":"1:1.3.dfsg+really1.3.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27171","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-zlib1g-a314be46474190d8","name":"zlib1g","version":"1:1.3.dfsg+really1.3.1-1+b1","type":"deb","locations":null,"language":"","licenses":["Zlib"],"cpes":["cpe:2.3:a:zlib1g:zlib1g:1\\:1.3.dfsg\\+really1.3.1-1\\+b1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/zlib1g@1%3A1.3.dfsg%2Breally1.3.1-1%2Bb1?arch=arm64&distro=debian-13&upstream=zlib%401%3A1.3.dfsg%2Breally1.3.1-1","upstreams":[{"name":"zlib","version":"1:1.3.dfsg+really1.3.1-1"}]}},{"vulnerability":{"id":"CVE-2018-20673","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20673","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0046500000000000005},"relatedVulnerabilities":[{"id":"CVE-2018-20673","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20673","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106454","https://sourceware.org/bugzilla/show_bug.cgi?id=24039"],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20673","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2018-20673","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20673","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0046500000000000005},"relatedVulnerabilities":[{"id":"CVE-2018-20673","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20673","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106454","https://sourceware.org/bugzilla/show_bug.cgi?id=24039"],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20673","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20673","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20673","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0046500000000000005},"relatedVulnerabilities":[{"id":"CVE-2018-20673","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20673","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106454","https://sourceware.org/bugzilla/show_bug.cgi?id=24039"],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20673","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20673","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20673","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0046500000000000005},"relatedVulnerabilities":[{"id":"CVE-2018-20673","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20673","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106454","https://sourceware.org/bugzilla/show_bug.cgi?id=24039"],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20673","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20673","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20673","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0046500000000000005},"relatedVulnerabilities":[{"id":"CVE-2018-20673","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20673","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106454","https://sourceware.org/bugzilla/show_bug.cgi?id=24039"],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20673","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20673","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20673","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0046500000000000005},"relatedVulnerabilities":[{"id":"CVE-2018-20673","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20673","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106454","https://sourceware.org/bugzilla/show_bug.cgi?id=24039"],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20673","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20673","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20673","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0046500000000000005},"relatedVulnerabilities":[{"id":"CVE-2018-20673","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20673","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106454","https://sourceware.org/bugzilla/show_bug.cgi?id=24039"],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20673","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-20673","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20673","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0046500000000000005},"relatedVulnerabilities":[{"id":"CVE-2018-20673","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20673","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/106454","https://sourceware.org/bugzilla/show_bug.cgi?id=24039"],"description":"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:N/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20673","epss":0.00093,"percentile":0.25894,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2018-20673","cwe":"CWE-190","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2018-20673","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20673","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2017-1000382","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-1000382","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.","cvss":[],"epss":[{"cve":"CVE-2017-1000382","epss":0.00093,"percentile":0.25799,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-1000382","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0046500000000000005},"relatedVulnerabilities":[{"id":"CVE-2017-1000382","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000382","namespace":"nvd:cpe","severity":"Medium","urls":["http://security.cucumberlinux.com/security/details.php?id=120","http://www.openwall.com/lists/oss-security/2017/10/31/1"],"description":"VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-1000382","epss":0.00093,"percentile":0.25799,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-1000382","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-1000382","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2017-1000382","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-1000382","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.","cvss":[],"epss":[{"cve":"CVE-2017-1000382","epss":0.00093,"percentile":0.25799,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-1000382","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0046500000000000005},"relatedVulnerabilities":[{"id":"CVE-2017-1000382","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000382","namespace":"nvd:cpe","severity":"Medium","urls":["http://security.cucumberlinux.com/security/details.php?id=120","http://www.openwall.com/lists/oss-security/2017/10/31/1"],"description":"VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-1000382","epss":0.00093,"percentile":0.25799,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-1000382","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-1000382","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2017-1000382","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-1000382","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.","cvss":[],"epss":[{"cve":"CVE-2017-1000382","epss":0.00093,"percentile":0.25799,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-1000382","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0046500000000000005},"relatedVulnerabilities":[{"id":"CVE-2017-1000382","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000382","namespace":"nvd:cpe","severity":"Medium","urls":["http://security.cucumberlinux.com/security/details.php?id=120","http://www.openwall.com/lists/oss-security/2017/10/31/1"],"description":"VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-1000382","epss":0.00093,"percentile":0.25799,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-1000382","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-1000382","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-34073","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34073","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34073","epss":0.00009,"percentile":0.0084,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34073","cwe":"CWE-295","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004635},"relatedVulnerabilities":[{"id":"CVE-2026-34073","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34073","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"],"description":"cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34073","epss":0.00009,"percentile":0.0084,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-34073","cwe":"CWE-295","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python-cryptography","version":"43.0.0-3+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34073","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3-cryptography-10fb1f0c757a5b17","name":"python3-cryptography","version":"43.0.0-3+deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Expat"],"cpes":["cpe:2.3:a:python3-cryptography:python3-cryptography:43.0.0-3\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3-cryptography:python3_cryptography:43.0.0-3\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3_cryptography:python3-cryptography:43.0.0-3\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3_cryptography:python3_cryptography:43.0.0-3\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3-cryptography:43.0.0-3\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3_cryptography:43.0.0-3\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3-cryptography@43.0.0-3%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=python-cryptography","upstreams":[{"name":"python-cryptography"}]}},{"vulnerability":{"id":"CVE-2026-40228","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40228","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004409999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-40228","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40228","namespace":"nvd:cpe","severity":"Low","urls":["https://www.openwall.com/lists/oss-security/2026/04/08/1"],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40228","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss-systemd-ad7265eadb35cc00","name":"libnss-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss-systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss-systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40228","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40228","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004409999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-40228","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40228","namespace":"nvd:cpe","severity":"Low","urls":["https://www.openwall.com/lists/oss-security/2026/04/08/1"],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40228","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpam-systemd-022f917bdf524182","name":"libpam-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libpam-systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam-systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpam-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40228","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40228","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004409999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-40228","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40228","namespace":"nvd:cpe","severity":"Low","urls":["https://www.openwall.com/lists/oss-security/2026/04/08/1"],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40228","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd-shared-b1ad66cbf61a8db5","name":"libsystemd-shared","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd-shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd-shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd-shared@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40228","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40228","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004409999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-40228","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40228","namespace":"nvd:cpe","severity":"Low","urls":["https://www.openwall.com/lists/oss-security/2026/04/08/1"],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40228","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd0-2ebc906354bc0592","name":"libsystemd0","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd0:libsystemd0:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40228","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40228","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004409999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-40228","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40228","namespace":"nvd:cpe","severity":"Low","urls":["https://www.openwall.com/lists/oss-security/2026/04/08/1"],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40228","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libudev1-c6f7af268569b00a","name":"libudev1","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libudev1:libudev1:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40228","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40228","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004409999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-40228","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40228","namespace":"nvd:cpe","severity":"Low","urls":["https://www.openwall.com/lists/oss-security/2026/04/08/1"],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40228","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-f903f3f27e740730","name":"systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd:systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-40228","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40228","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004409999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-40228","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40228","namespace":"nvd:cpe","severity":"Low","urls":["https://www.openwall.com/lists/oss-security/2026/04/08/1"],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40228","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-cryptsetup-a05233fe9c9714fd","name":"systemd-cryptsetup","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-cryptsetup@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40228","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40228","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004409999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-40228","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40228","namespace":"nvd:cpe","severity":"Low","urls":["https://www.openwall.com/lists/oss-security/2026/04/08/1"],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40228","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-sysv-10669ba5f85c6427","name":"systemd-sysv","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-sysv@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40228","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40228","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004409999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-40228","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40228","namespace":"nvd:cpe","severity":"Low","urls":["https://www.openwall.com/lists/oss-security/2026/04/08/1"],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40228","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-timesyncd-6b431489698ee740","name":"systemd-timesyncd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-timesyncd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2026-40228","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40228","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004409999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-40228","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40228","namespace":"nvd:cpe","severity":"Low","urls":["https://www.openwall.com/lists/oss-security/2026/04/08/1"],"description":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-40228","epss":0.00014,"percentile":0.02593,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-40228","cwe":"CWE-669","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40228","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-udev-b6036c3d10c9d62b","name":"udev","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:udev:udev:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/udev@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2017-11695","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-11695","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.","cvss":[],"epss":[{"cve":"CVE-2017-11695","epss":0.00088,"percentile":0.25044,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-11695","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0044},"relatedVulnerabilities":[{"id":"CVE-2017-11695","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-11695","namespace":"nvd:cpe","severity":"High","urls":["http://packetstormsecurity.com/files/143735/NSS-Buffer-Overflows-Floating-Point-Exception.html","http://seclists.org/fulldisclosure/2017/Aug/17","http://www.geeknik.net/9brdqk6xu","http://www.securityfocus.com/bid/100345","http://www.securitytracker.com/id/1039153","https://security.gentoo.org/glsa/202003-37"],"description":"Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":4.6,"exploitabilityScore":4,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-11695","epss":0.00088,"percentile":0.25044,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-11695","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"nss","version":"2:3.110-1+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-11695","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss3-2c7a45e72cefc3cc","name":"libnss3","version":"2:3.110-1+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3 AND MPL-2.0 AND Zlib AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss3:libnss3:2\\:3.110-1\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss3@2%3A3.110-1%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=nss","upstreams":[{"name":"nss"}]}},{"vulnerability":{"id":"CVE-2017-11696","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-11696","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.","cvss":[],"epss":[{"cve":"CVE-2017-11696","epss":0.00088,"percentile":0.25044,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-11696","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0044},"relatedVulnerabilities":[{"id":"CVE-2017-11696","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-11696","namespace":"nvd:cpe","severity":"High","urls":["http://packetstormsecurity.com/files/143735/NSS-Buffer-Overflows-Floating-Point-Exception.html","http://seclists.org/fulldisclosure/2017/Aug/17","http://www.geeknik.net/9brdqk6xu","http://www.securityfocus.com/bid/100345","http://www.securitytracker.com/id/1039153","https://security.gentoo.org/glsa/202003-37"],"description":"Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":4.6,"exploitabilityScore":4,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-11696","epss":0.00088,"percentile":0.25044,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-11696","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"nss","version":"2:3.110-1+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-11696","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss3-2c7a45e72cefc3cc","name":"libnss3","version":"2:3.110-1+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3 AND MPL-2.0 AND Zlib AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss3:libnss3:2\\:3.110-1\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss3@2%3A3.110-1%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=nss","upstreams":[{"name":"nss"}]}},{"vulnerability":{"id":"CVE-2017-11698","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-11698","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.","cvss":[],"epss":[{"cve":"CVE-2017-11698","epss":0.00088,"percentile":0.25044,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-11698","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0044},"relatedVulnerabilities":[{"id":"CVE-2017-11698","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-11698","namespace":"nvd:cpe","severity":"High","urls":["http://packetstormsecurity.com/files/143735/NSS-Buffer-Overflows-Floating-Point-Exception.html","http://seclists.org/fulldisclosure/2017/Aug/17","http://www.geeknik.net/9brdqk6xu","http://www.securityfocus.com/bid/100345","http://www.securitytracker.com/id/1039153","https://security.gentoo.org/glsa/202003-37"],"description":"Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":4.6,"exploitabilityScore":4,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-11698","epss":0.00088,"percentile":0.25044,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-11698","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"nss","version":"2:3.110-1+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-11698","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss3-2c7a45e72cefc3cc","name":"libnss3","version":"2:3.110-1+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3 AND MPL-2.0 AND Zlib AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss3:libnss3:2\\:3.110-1\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss3@2%3A3.110-1%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=nss","upstreams":[{"name":"nss"}]}},{"vulnerability":{"id":"CVE-2026-26157","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-26157","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7,"exploitabilityScore":1.1,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26157","epss":0.00006,"percentile":0.00416,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-26157","cwe":"CWE-73","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00435},"relatedVulnerabilities":[{"id":"CVE-2026-26157","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-26157","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-26157","https://bugzilla.redhat.com/show_bug.cgi?id=2439039","https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb"],"description":"A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7,"exploitabilityScore":1.1,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26157","epss":0.00006,"percentile":0.00416,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-26157","cwe":"CWE-73","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6+b7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-26157","versionConstraint":"none (unknown)"}},{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-26157","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-busybox-53b4a72165e5bbad","name":"busybox","version":"1:1.37.0-6+b7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:busybox:busybox:1\\:1.37.0-6\\+b7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/busybox@1%3A1.37.0-6%2Bb7?arch=arm64&distro=debian-13&upstream=busybox%401%3A1.37.0-6","upstreams":[{"name":"busybox","version":"1:1.37.0-6"}]}},{"vulnerability":{"id":"CVE-2026-26158","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-26158","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7,"exploitabilityScore":1.1,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26158","epss":0.00006,"percentile":0.00322,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-26158","cwe":"CWE-73","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00435},"relatedVulnerabilities":[{"id":"CVE-2026-26158","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-26158","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-26158","https://bugzilla.redhat.com/show_bug.cgi?id=2439040","https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb"],"description":"A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7,"exploitabilityScore":1.1,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26158","epss":0.00006,"percentile":0.00322,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-26158","cwe":"CWE-73","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6+b7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-26158","versionConstraint":"none (unknown)"}},{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"busybox","version":"1:1.37.0-6"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-26158","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-busybox-53b4a72165e5bbad","name":"busybox","version":"1:1.37.0-6+b7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:busybox:busybox:1\\:1.37.0-6\\+b7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/busybox@1%3A1.37.0-6%2Bb7?arch=arm64&distro=debian-13&upstream=busybox%401%3A1.37.0-6","upstreams":[{"name":"busybox","version":"1:1.37.0-6"}]}},{"vulnerability":{"id":"CVE-2007-3303","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-3303","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes.  NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.","cvss":[],"epss":[{"cve":"CVE-2007-3303","epss":0.00085,"percentile":0.24563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-3303","cwe":"CWE-94","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00425},"relatedVulnerabilities":[{"id":"CVE-2007-3303","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-3303","namespace":"nvd:cpe","severity":"Medium","urls":["http://osvdb.org/37050","http://security.psnc.pl/files/apache_report.pdf","http://securityreason.com/securityalert/2814","http://www.securityfocus.com/archive/1/469899/100/0/threaded","http://www.securityfocus.com/archive/1/471832/100/0/threaded","http://www.securityfocus.com/bid/24215"],"description":"Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes.  NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:N/I:N/A:C","metrics":{"baseScore":4.9,"exploitabilityScore":4,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-3303","epss":0.00085,"percentile":0.24563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-3303","cwe":"CWE-94","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-3303","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-e442cca4d5089982","name":"apache2","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2:apache2:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2007-3303","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-3303","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes.  NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.","cvss":[],"epss":[{"cve":"CVE-2007-3303","epss":0.00085,"percentile":0.24563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-3303","cwe":"CWE-94","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00425},"relatedVulnerabilities":[{"id":"CVE-2007-3303","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-3303","namespace":"nvd:cpe","severity":"Medium","urls":["http://osvdb.org/37050","http://security.psnc.pl/files/apache_report.pdf","http://securityreason.com/securityalert/2814","http://www.securityfocus.com/archive/1/469899/100/0/threaded","http://www.securityfocus.com/archive/1/471832/100/0/threaded","http://www.securityfocus.com/bid/24215"],"description":"Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes.  NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:N/I:N/A:C","metrics":{"baseScore":4.9,"exploitabilityScore":4,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-3303","epss":0.00085,"percentile":0.24563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-3303","cwe":"CWE-94","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-3303","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-bin-1079264b7c765d23","name":"apache2-bin","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_bin:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_bin:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-bin@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2007-3303","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-3303","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes.  NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.","cvss":[],"epss":[{"cve":"CVE-2007-3303","epss":0.00085,"percentile":0.24563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-3303","cwe":"CWE-94","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00425},"relatedVulnerabilities":[{"id":"CVE-2007-3303","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-3303","namespace":"nvd:cpe","severity":"Medium","urls":["http://osvdb.org/37050","http://security.psnc.pl/files/apache_report.pdf","http://securityreason.com/securityalert/2814","http://www.securityfocus.com/archive/1/469899/100/0/threaded","http://www.securityfocus.com/archive/1/471832/100/0/threaded","http://www.securityfocus.com/bid/24215"],"description":"Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes.  NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:N/I:N/A:C","metrics":{"baseScore":4.9,"exploitabilityScore":4,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-3303","epss":0.00085,"percentile":0.24563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-3303","cwe":"CWE-94","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-3303","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-data-a25605bbf0c04fae","name":"apache2-data","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_data:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_data:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-data@2.4.66-1~deb13u2?arch=all&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2007-3303","dataSource":"https://security-tracker.debian.org/tracker/CVE-2007-3303","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes.  NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.","cvss":[],"epss":[{"cve":"CVE-2007-3303","epss":0.00085,"percentile":0.24563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-3303","cwe":"CWE-94","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00425},"relatedVulnerabilities":[{"id":"CVE-2007-3303","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2007-3303","namespace":"nvd:cpe","severity":"Medium","urls":["http://osvdb.org/37050","http://security.psnc.pl/files/apache_report.pdf","http://securityreason.com/securityalert/2814","http://www.securityfocus.com/archive/1/469899/100/0/threaded","http://www.securityfocus.com/archive/1/471832/100/0/threaded","http://www.securityfocus.com/bid/24215"],"description":"Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes.  NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:N/I:N/A:C","metrics":{"baseScore":4.9,"exploitabilityScore":4,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2007-3303","epss":0.00085,"percentile":0.24563,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2007-3303","cwe":"CWE-94","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"apache2","version":"2.4.66-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2007-3303","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-apache2-utils-6b7395e8b8084cf1","name":"apache2-utils","version":"2.4.66-1~deb13u2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause-Darwin AND LicenseRef-BSD-3-clause-Cambridge AND LicenseRef-BSD-3-clause-Smrgrav AND LicenseRef-Cisco AND LicenseRef-Custom AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-Haines AND LicenseRef-MD5 AND LicenseRef-PCRE AND LicenseRef-Zeus"],"cpes":["cpe:2.3:a:apache2-utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2-utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2_utils:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2-utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:apache2:apache2_utils:2.4.66-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/apache2-utils@2.4.66-1~deb13u2?arch=arm64&distro=debian-13&upstream=apache2","upstreams":[{"name":"apache2"}]}},{"vulnerability":{"id":"CVE-2025-66382","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66382","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66382","epss":0.00008,"percentile":0.00728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66382","cwe":"CWE-407","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-66382","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66382","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/libexpat/libexpat/issues/1076","http://www.openwall.com/lists/oss-security/2025/12/02/1"],"description":"In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66382","epss":0.00008,"percentile":0.00728,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66382","cwe":"CWE-407","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"expat","version":"2.7.1-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66382","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libexpat1-9fbfc999aa8bff3d","name":"libexpat1","version":"2.7.1-2","type":"deb","locations":null,"language":"","licenses":["MIT"],"cpes":["cpe:2.3:a:libexpat1:libexpat1:2.7.1-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libexpat1@2.7.1-2?arch=arm64&distro=debian-13&upstream=expat","upstreams":[{"name":"expat"}]}},{"vulnerability":{"id":"CVE-2025-15224","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15224","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.","cvss":[],"epss":[{"cve":"CVE-2025-15224","epss":0.00084,"percentile":0.24338,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15224","cwe":"CWE-287","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-15224","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15224","namespace":"nvd:cpe","severity":"Low","urls":["https://curl.se/docs/CVE-2025-15224.html","https://curl.se/docs/CVE-2025-15224.json","https://hackerone.com/reports/3480925","http://www.openwall.com/lists/oss-security/2026/01/07/7"],"description":"When doing SSH-based transfers using either SCP or SFTP, and asked to do\npublic key authentication, curl would wrongly still ask and authenticate using\na locally running SSH agent.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15224","epss":0.00084,"percentile":0.24338,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15224","cwe":"CWE-287","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15224","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-15224","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15224","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.","cvss":[],"epss":[{"cve":"CVE-2025-15224","epss":0.00084,"percentile":0.24338,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15224","cwe":"CWE-287","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-15224","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15224","namespace":"nvd:cpe","severity":"Low","urls":["https://curl.se/docs/CVE-2025-15224.html","https://curl.se/docs/CVE-2025-15224.json","https://hackerone.com/reports/3480925","http://www.openwall.com/lists/oss-security/2026/01/07/7"],"description":"When doing SSH-based transfers using either SCP or SFTP, and asked to do\npublic key authentication, curl would wrongly still ask and authenticate using\na locally running SSH agent.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15224","epss":0.00084,"percentile":0.24338,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15224","cwe":"CWE-287","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15224","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2025-15224","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15224","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.","cvss":[],"epss":[{"cve":"CVE-2025-15224","epss":0.00084,"percentile":0.24338,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15224","cwe":"CWE-287","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-15224","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15224","namespace":"nvd:cpe","severity":"Low","urls":["https://curl.se/docs/CVE-2025-15224.html","https://curl.se/docs/CVE-2025-15224.json","https://hackerone.com/reports/3480925","http://www.openwall.com/lists/oss-security/2026/01/07/7"],"description":"When doing SSH-based transfers using either SCP or SFTP, and asked to do\npublic key authentication, curl would wrongly still ask and authenticate using\na locally running SSH agent.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15224","epss":0.00084,"percentile":0.24338,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15224","cwe":"CWE-287","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15224","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2025-5245","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5245","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-5245","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5245","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16004","https://sourceware.org/bugzilla/show_bug.cgi?id=32829","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a","https://vuldb.com/?ctiid.310347","https://vuldb.com/?id.310347","https://vuldb.com/?submit.584635","https://www.gnu.org/"],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5245","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-5245","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5245","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-5245","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5245","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16004","https://sourceware.org/bugzilla/show_bug.cgi?id=32829","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a","https://vuldb.com/?ctiid.310347","https://vuldb.com/?id.310347","https://vuldb.com/?submit.584635","https://www.gnu.org/"],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5245","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5245","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5245","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-5245","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5245","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16004","https://sourceware.org/bugzilla/show_bug.cgi?id=32829","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a","https://vuldb.com/?ctiid.310347","https://vuldb.com/?id.310347","https://vuldb.com/?submit.584635","https://www.gnu.org/"],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5245","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5245","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5245","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-5245","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5245","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16004","https://sourceware.org/bugzilla/show_bug.cgi?id=32829","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a","https://vuldb.com/?ctiid.310347","https://vuldb.com/?id.310347","https://vuldb.com/?submit.584635","https://www.gnu.org/"],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5245","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5245","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5245","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-5245","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5245","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16004","https://sourceware.org/bugzilla/show_bug.cgi?id=32829","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a","https://vuldb.com/?ctiid.310347","https://vuldb.com/?id.310347","https://vuldb.com/?submit.584635","https://www.gnu.org/"],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5245","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5245","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5245","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-5245","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5245","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16004","https://sourceware.org/bugzilla/show_bug.cgi?id=32829","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a","https://vuldb.com/?ctiid.310347","https://vuldb.com/?id.310347","https://vuldb.com/?submit.584635","https://www.gnu.org/"],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5245","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5245","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5245","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-5245","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5245","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16004","https://sourceware.org/bugzilla/show_bug.cgi?id=32829","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a","https://vuldb.com/?ctiid.310347","https://vuldb.com/?id.310347","https://vuldb.com/?submit.584635","https://www.gnu.org/"],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5245","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5245","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5245","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004200000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-5245","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5245","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16004","https://sourceware.org/bugzilla/show_bug.cgi?id=32829","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a","https://vuldb.com/?ctiid.310347","https://vuldb.com/?id.310347","https://vuldb.com/?submit.584635","https://www.gnu.org/"],"description":"A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5245","epss":0.00084,"percentile":0.24243,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5245","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5245","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11961","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11961","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer.  The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented.  If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer.","cvss":[{"source":"security@tcpdump.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":0.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11961","epss":0.00017,"percentile":0.04246,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11961","cwe":"CWE-122","source":"security@tcpdump.org","type":"Secondary"},{"cve":"CVE-2025-11961","cwe":"CWE-126","source":"security@tcpdump.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.004165},"relatedVulnerabilities":[{"id":"CVE-2025-11961","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11961","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/the-tcpdump-group/libpcap/commit/b2d2f9a9a0581c40780bde509f7cc715920f1c02"],"description":"pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer.  The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented.  If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer.","cvss":[{"source":"security@tcpdump.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":0.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11961","epss":0.00017,"percentile":0.04246,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11961","cwe":"CWE-122","source":"security@tcpdump.org","type":"Secondary"},{"cve":"CVE-2025-11961","cwe":"CWE-126","source":"security@tcpdump.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libpcap","version":"1.10.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11961","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpcap0.8t64-2da756ee744d047e","name":"libpcap0.8t64","version":"1.10.5-2","type":"deb","locations":null,"language":"","licenses":["6b0e609cf98f7abd39d3b81100fdb2bed24dcaee6656b500fcecb392db70dc60"],"cpes":["cpe:2.3:a:libpcap0.8t64:libpcap0.8t64:1.10.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpcap0.8t64@1.10.5-2?arch=arm64&distro=debian-13&upstream=libpcap","upstreams":[{"name":"libpcap"}]}},{"vulnerability":{"id":"CVE-2025-1153","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1153","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004150000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-1153","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1153","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32603","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150","https://vuldb.com/?ctiid.295057","https://vuldb.com/?id.295057","https://vuldb.com/?submit.489991","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0005/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1153","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1153","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1153","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004150000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-1153","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1153","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32603","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150","https://vuldb.com/?ctiid.295057","https://vuldb.com/?id.295057","https://vuldb.com/?submit.489991","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0005/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1153","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1153","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1153","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004150000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-1153","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1153","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32603","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150","https://vuldb.com/?ctiid.295057","https://vuldb.com/?id.295057","https://vuldb.com/?submit.489991","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0005/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1153","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1153","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1153","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004150000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-1153","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1153","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32603","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150","https://vuldb.com/?ctiid.295057","https://vuldb.com/?id.295057","https://vuldb.com/?submit.489991","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0005/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1153","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1153","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1153","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004150000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-1153","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1153","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32603","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150","https://vuldb.com/?ctiid.295057","https://vuldb.com/?id.295057","https://vuldb.com/?submit.489991","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0005/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1153","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1153","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1153","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004150000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-1153","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1153","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32603","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150","https://vuldb.com/?ctiid.295057","https://vuldb.com/?id.295057","https://vuldb.com/?submit.489991","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0005/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1153","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1153","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1153","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004150000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-1153","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1153","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32603","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150","https://vuldb.com/?ctiid.295057","https://vuldb.com/?id.295057","https://vuldb.com/?submit.489991","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0005/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1153","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1153","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1153","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.004150000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-1153","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1153","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32603","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150","https://vuldb.com/?ctiid.295057","https://vuldb.com/?id.295057","https://vuldb.com/?submit.489991","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0005/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1153","epss":0.00083,"percentile":0.24069,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1153","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1153","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1180","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1180","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0041},"relatedVulnerabilities":[{"id":"CVE-2025-1180","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1180","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15917","https://sourceware.org/bugzilla/show_bug.cgi?id=32642","https://vuldb.com/?ctiid.295083","https://vuldb.com/?id.295083","https://vuldb.com/?submit.495381","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1180","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1180","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1180","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0041},"relatedVulnerabilities":[{"id":"CVE-2025-1180","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1180","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15917","https://sourceware.org/bugzilla/show_bug.cgi?id=32642","https://vuldb.com/?ctiid.295083","https://vuldb.com/?id.295083","https://vuldb.com/?submit.495381","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1180","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1180","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1180","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0041},"relatedVulnerabilities":[{"id":"CVE-2025-1180","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1180","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15917","https://sourceware.org/bugzilla/show_bug.cgi?id=32642","https://vuldb.com/?ctiid.295083","https://vuldb.com/?id.295083","https://vuldb.com/?submit.495381","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1180","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1180","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1180","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0041},"relatedVulnerabilities":[{"id":"CVE-2025-1180","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1180","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15917","https://sourceware.org/bugzilla/show_bug.cgi?id=32642","https://vuldb.com/?ctiid.295083","https://vuldb.com/?id.295083","https://vuldb.com/?submit.495381","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1180","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1180","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1180","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0041},"relatedVulnerabilities":[{"id":"CVE-2025-1180","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1180","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15917","https://sourceware.org/bugzilla/show_bug.cgi?id=32642","https://vuldb.com/?ctiid.295083","https://vuldb.com/?id.295083","https://vuldb.com/?submit.495381","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1180","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1180","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1180","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0041},"relatedVulnerabilities":[{"id":"CVE-2025-1180","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1180","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15917","https://sourceware.org/bugzilla/show_bug.cgi?id=32642","https://vuldb.com/?ctiid.295083","https://vuldb.com/?id.295083","https://vuldb.com/?submit.495381","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1180","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1180","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1180","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0041},"relatedVulnerabilities":[{"id":"CVE-2025-1180","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1180","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15917","https://sourceware.org/bugzilla/show_bug.cgi?id=32642","https://vuldb.com/?ctiid.295083","https://vuldb.com/?id.295083","https://vuldb.com/?submit.495381","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1180","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1180","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1180","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0041},"relatedVulnerabilities":[{"id":"CVE-2025-1180","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1180","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15917","https://sourceware.org/bugzilla/show_bug.cgi?id=32642","https://vuldb.com/?ctiid.295083","https://vuldb.com/?id.295083","https://vuldb.com/?submit.495381","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1180","epss":0.00082,"percentile":0.23762,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1180","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1180","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2024-26461","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-26461","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.","cvss":[],"epss":[{"cve":"CVE-2024-26461","epss":0.00081,"percentile":0.23742,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26461","cwe":"CWE-770","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2024-26461","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-26461","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md","https://security.netapp.com/advisory/ntap-20240415-0011/"],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-26461","epss":0.00081,"percentile":0.23742,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26461","cwe":"CWE-770","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-26461","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-krb5-locales-47c43824bf48a66c","name":"krb5-locales","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:krb5-locales:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5-locales:krb5_locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5_locales:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5_locales:krb5_locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5:krb5-locales:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:krb5:krb5_locales:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/krb5-locales@1.21.3-5?arch=all&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2024-26461","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-26461","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.","cvss":[],"epss":[{"cve":"CVE-2024-26461","epss":0.00081,"percentile":0.23742,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26461","cwe":"CWE-770","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2024-26461","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-26461","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md","https://security.netapp.com/advisory/ntap-20240415-0011/"],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-26461","epss":0.00081,"percentile":0.23742,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26461","cwe":"CWE-770","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-26461","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgssapi-krb5-2-f126828866b7e868","name":"libgssapi-krb5-2","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgssapi-krb5-2@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2024-26461","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-26461","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.","cvss":[],"epss":[{"cve":"CVE-2024-26461","epss":0.00081,"percentile":0.23742,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26461","cwe":"CWE-770","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2024-26461","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-26461","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md","https://security.netapp.com/advisory/ntap-20240415-0011/"],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-26461","epss":0.00081,"percentile":0.23742,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26461","cwe":"CWE-770","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-26461","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libk5crypto3-83b2cd2d3fde8f6b","name":"libk5crypto3","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libk5crypto3:libk5crypto3:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libk5crypto3@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2024-26461","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-26461","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.","cvss":[],"epss":[{"cve":"CVE-2024-26461","epss":0.00081,"percentile":0.23742,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26461","cwe":"CWE-770","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2024-26461","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-26461","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md","https://security.netapp.com/advisory/ntap-20240415-0011/"],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-26461","epss":0.00081,"percentile":0.23742,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26461","cwe":"CWE-770","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-26461","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libkrb5-3-2eb5875d5518f857","name":"libkrb5-3","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libkrb5-3:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5-3:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5_3:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5_3:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5:libkrb5-3:1.21.3-5:*:*:*:*:*:*:*","cpe:2.3:a:libkrb5:libkrb5_3:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libkrb5-3@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2024-26461","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-26461","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.","cvss":[],"epss":[{"cve":"CVE-2024-26461","epss":0.00081,"percentile":0.23742,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26461","cwe":"CWE-770","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2024-26461","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-26461","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md","https://security.netapp.com/advisory/ntap-20240415-0011/"],"description":"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-26461","epss":0.00081,"percentile":0.23742,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-26461","cwe":"CWE-770","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"krb5","version":"1.21.3-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-26461","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libkrb5support0-80b206ca5e07fd6c","name":"libkrb5support0","version":"1.21.3-5","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:libkrb5support0:libkrb5support0:1.21.3-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libkrb5support0@1.21.3-5?arch=arm64&distro=debian-13&upstream=krb5","upstreams":[{"name":"krb5"}]}},{"vulnerability":{"id":"CVE-2025-5244","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5244","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2025-5244","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5244","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16010","https://sourceware.org/bugzilla/show_bug.cgi?id=32858","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5","https://vuldb.com/?ctiid.310346","https://vuldb.com/?id.310346","https://vuldb.com/?submit.584634","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5244","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-5244","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5244","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2025-5244","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5244","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16010","https://sourceware.org/bugzilla/show_bug.cgi?id=32858","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5","https://vuldb.com/?ctiid.310346","https://vuldb.com/?id.310346","https://vuldb.com/?submit.584634","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5244","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5244","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5244","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2025-5244","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5244","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16010","https://sourceware.org/bugzilla/show_bug.cgi?id=32858","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5","https://vuldb.com/?ctiid.310346","https://vuldb.com/?id.310346","https://vuldb.com/?submit.584634","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5244","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5244","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5244","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2025-5244","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5244","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16010","https://sourceware.org/bugzilla/show_bug.cgi?id=32858","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5","https://vuldb.com/?ctiid.310346","https://vuldb.com/?id.310346","https://vuldb.com/?submit.584634","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5244","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5244","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5244","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2025-5244","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5244","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16010","https://sourceware.org/bugzilla/show_bug.cgi?id=32858","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5","https://vuldb.com/?ctiid.310346","https://vuldb.com/?id.310346","https://vuldb.com/?submit.584634","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5244","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5244","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5244","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2025-5244","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5244","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16010","https://sourceware.org/bugzilla/show_bug.cgi?id=32858","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5","https://vuldb.com/?ctiid.310346","https://vuldb.com/?id.310346","https://vuldb.com/?submit.584634","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5244","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5244","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5244","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2025-5244","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5244","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16010","https://sourceware.org/bugzilla/show_bug.cgi?id=32858","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5","https://vuldb.com/?ctiid.310346","https://vuldb.com/?id.310346","https://vuldb.com/?submit.584634","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5244","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-5244","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-5244","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00405},"relatedVulnerabilities":[{"id":"CVE-2025-5244","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-5244","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16010","https://sourceware.org/bugzilla/show_bug.cgi?id=32858","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5","https://vuldb.com/?ctiid.310346","https://vuldb.com/?id.310346","https://vuldb.com/?submit.584634","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-5244","epss":0.00081,"percentile":0.23693,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-5244","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-5244","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66862","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66862","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66862","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66862","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md"],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66862","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-66863","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66863","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66863","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66863","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md"],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66863","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-66865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66865","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66865","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash4.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-66862","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66862","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66862","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66862","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md"],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66862","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66863","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66863","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66863","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66863","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md"],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66863","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66865","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66865","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash4.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66862","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66862","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66862","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66862","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md"],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66862","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66863","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66863","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66863","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66863","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md"],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66863","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66865","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66865","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash4.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66862","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66862","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66862","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66862","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md"],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66862","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66863","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66863","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66863","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66863","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md"],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66863","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66865","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66865","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash4.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66862","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66862","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66862","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66862","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md"],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66862","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66863","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66863","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66863","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66863","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md"],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66863","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66865","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66865","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash4.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66862","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66862","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66862","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66862","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md"],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66862","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66863","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66863","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66863","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66863","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md"],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66863","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66865","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66865","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash4.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66862","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66862","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66862","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66862","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md"],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66862","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66863","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66863","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66863","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66863","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md"],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66863","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66865","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66865","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash4.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66862","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66862","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66862","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66862","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md"],"description":"A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66862","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66862","cwe":"CWE-122","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66862","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66863","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66863","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66863","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66863","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md"],"description":"An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66863","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66863","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66863","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66865","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66865","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0038000000000000004},"relatedVulnerabilities":[{"id":"CVE-2025-66865","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66865","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash4.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66865","epss":0.00076,"percentile":0.22633,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66865","cwe":"CWE-121","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66865","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2005-1119","dataSource":"https://security-tracker.debian.org/tracker/CVE-2005-1119","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Sudo VISudo 1.6.8 and earlier allows local users to corrupt arbitrary files via a symlink attack on temporary files.","cvss":[],"epss":[{"cve":"CVE-2005-1119","epss":0.00075,"percentile":0.22439,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2005-1119","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0037500000000000003},"relatedVulnerabilities":[{"id":"CVE-2005-1119","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2005-1119","namespace":"nvd:cpe","severity":"Low","urls":["http://www.securityfocus.com/bid/13171"],"description":"Sudo VISudo 1.6.8 and earlier allows local users to corrupt arbitrary files via a symlink attack on temporary files.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":2.1,"exploitabilityScore":4,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2005-1119","epss":0.00075,"percentile":0.22439,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2005-1119","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"sudo","version":"1.9.16p2-3+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2005-1119","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-sudo-6baa1323ddeb9282","name":"sudo","version":"1.9.16p2-3+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND ISC AND Zlib AND LicenseRef-other AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:sudo:sudo:1.9.16p2-3\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/sudo@1.9.16p2-3%2Bdeb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-35535","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35535","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.4,"exploitabilityScore":1.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35535","epss":0.00005,"percentile":0.00285,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35535","cwe":"CWE-271","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0037250000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-35535","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35535","namespace":"nvd:cpe","severity":"High","urls":["https://bugs.debian.org/1130593","https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2143042","https://github.com/sudo-project/sudo/commit/3e474c2f201484be83d994ae10a4e20e8c81bb69","https://www.qualys.com/2026/03/10/crack-armor.txt"],"description":"In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.4,"exploitabilityScore":1.5,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35535","epss":0.00005,"percentile":0.00285,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35535","cwe":"CWE-271","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"sudo","version":"1.9.16p2-3+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35535","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-sudo-6baa1323ddeb9282","name":"sudo","version":"1.9.16p2-3+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND ISC AND Zlib AND LicenseRef-other AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:sudo:sudo:1.9.16p2-3\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/sudo@1.9.16p2-3%2Bdeb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1148","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1148","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0037000000000000006},"relatedVulnerabilities":[{"id":"CVE-2025-1148","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1148","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295052","https://vuldb.com/?id.295052","https://vuldb.com/?submit.485747","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0004/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1148","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1148","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1148","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0037000000000000006},"relatedVulnerabilities":[{"id":"CVE-2025-1148","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1148","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295052","https://vuldb.com/?id.295052","https://vuldb.com/?submit.485747","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0004/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1148","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1148","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1148","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0037000000000000006},"relatedVulnerabilities":[{"id":"CVE-2025-1148","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1148","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295052","https://vuldb.com/?id.295052","https://vuldb.com/?submit.485747","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0004/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1148","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1148","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1148","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0037000000000000006},"relatedVulnerabilities":[{"id":"CVE-2025-1148","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1148","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295052","https://vuldb.com/?id.295052","https://vuldb.com/?submit.485747","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0004/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1148","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1148","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1148","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0037000000000000006},"relatedVulnerabilities":[{"id":"CVE-2025-1148","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1148","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295052","https://vuldb.com/?id.295052","https://vuldb.com/?submit.485747","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0004/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1148","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1148","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1148","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0037000000000000006},"relatedVulnerabilities":[{"id":"CVE-2025-1148","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1148","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295052","https://vuldb.com/?id.295052","https://vuldb.com/?submit.485747","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0004/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1148","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1148","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1148","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0037000000000000006},"relatedVulnerabilities":[{"id":"CVE-2025-1148","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1148","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295052","https://vuldb.com/?id.295052","https://vuldb.com/?submit.485747","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0004/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1148","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1148","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1148","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0037000000000000006},"relatedVulnerabilities":[{"id":"CVE-2025-1148","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1148","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295052","https://vuldb.com/?id.295052","https://vuldb.com/?submit.485747","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0004/"],"description":"A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1148","epss":0.00074,"percentile":0.22099,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1148","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1148","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2018-7738","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-7738","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","cvss":[],"epss":[{"cve":"CVE-2018-7738","epss":0.0007,"percentile":0.21328,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0035000000000000005},"relatedVulnerabilities":[{"id":"CVE-2018-7738","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-7738","namespace":"nvd:cpe","severity":"High","urls":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://usn.ubuntu.com/4512-1/","https://www.debian.org/security/2018/dsa-4134","https://security.netapp.com/advisory/ntap-20241213-0002/"],"description":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:L/Au:N/C:C/I:C/A:C","metrics":{"baseScore":7.2,"exploitabilityScore":4,"impactScore":10.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-7738","epss":0.0007,"percentile":0.21328,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"bash-completion","version":"1:2.16.0-7"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-7738","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bash-completion-bf8639731e15ec2e","name":"bash-completion","version":"1:2.16.0-7","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later"],"cpes":["cpe:2.3:a:bash-completion:bash-completion:1\\:2.16.0-7:*:*:*:*:*:*:*","cpe:2.3:a:bash-completion:bash_completion:1\\:2.16.0-7:*:*:*:*:*:*:*","cpe:2.3:a:bash_completion:bash-completion:1\\:2.16.0-7:*:*:*:*:*:*:*","cpe:2.3:a:bash_completion:bash_completion:1\\:2.16.0-7:*:*:*:*:*:*:*","cpe:2.3:a:bash:bash-completion:1\\:2.16.0-7:*:*:*:*:*:*:*","cpe:2.3:a:bash:bash_completion:1\\:2.16.0-7:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bash-completion@1%3A2.16.0-7?arch=all&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-13462","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13462","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13462","epss":0.00014,"percentile":0.02733,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13462","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-74","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-434","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0034999999999999996},"relatedVulnerabilities":[{"id":"CVE-2025-13462","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13462","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab","https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017","https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7","https://github.com/python/cpython/issues/141707","https://github.com/python/cpython/pull/143934","https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/"],"description":"The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13462","epss":0.00014,"percentile":0.02733,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13462","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-74","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-434","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13462","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-13462","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13462","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13462","epss":0.00014,"percentile":0.02733,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13462","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-74","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-434","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0034999999999999996},"relatedVulnerabilities":[{"id":"CVE-2025-13462","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13462","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab","https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017","https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7","https://github.com/python/cpython/issues/141707","https://github.com/python/cpython/pull/143934","https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/"],"description":"The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13462","epss":0.00014,"percentile":0.02733,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13462","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-74","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-434","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13462","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-13462","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13462","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13462","epss":0.00014,"percentile":0.02733,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13462","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-74","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-434","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0034999999999999996},"relatedVulnerabilities":[{"id":"CVE-2025-13462","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13462","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab","https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017","https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7","https://github.com/python/cpython/issues/141707","https://github.com/python/cpython/pull/143934","https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/"],"description":"The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13462","epss":0.00014,"percentile":0.02733,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13462","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-74","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-434","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13462","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-13462","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-13462","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13462","epss":0.00014,"percentile":0.02733,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13462","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-74","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-434","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0034999999999999996},"relatedVulnerabilities":[{"id":"CVE-2025-13462","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-13462","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab","https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017","https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7","https://github.com/python/cpython/issues/141707","https://github.com/python/cpython/pull/143934","https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/"],"description":"The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-13462","epss":0.00014,"percentile":0.02733,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-13462","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-74","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"},{"cve":"CVE-2025-13462","cwe":"CWE-434","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-13462","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-25749","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-25749","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.4,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25749","epss":0.00006,"percentile":0.00303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25749","cwe":"CWE-122","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00348},"relatedVulnerabilities":[{"id":"CVE-2026-25749","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-25749","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9","https://github.com/vim/vim/releases/tag/v9.1.2132","https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43"],"description":"Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.4,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25749","epss":0.00006,"percentile":0.00303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25749","cwe":"CWE-122","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-25749","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-25749","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-25749","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.4,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25749","epss":0.00006,"percentile":0.00303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25749","cwe":"CWE-122","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00348},"relatedVulnerabilities":[{"id":"CVE-2026-25749","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-25749","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9","https://github.com/vim/vim/releases/tag/v9.1.2132","https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43"],"description":"Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.4,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25749","epss":0.00006,"percentile":0.00303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25749","cwe":"CWE-122","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-25749","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-25749","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-25749","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.4,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25749","epss":0.00006,"percentile":0.00303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25749","cwe":"CWE-122","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00348},"relatedVulnerabilities":[{"id":"CVE-2026-25749","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-25749","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9","https://github.com/vim/vim/releases/tag/v9.1.2132","https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43"],"description":"Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.4,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25749","epss":0.00006,"percentile":0.00303,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25749","cwe":"CWE-122","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-25749","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2025-3198","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-3198","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0034000000000000007},"relatedVulnerabilities":[{"id":"CVE-2025-3198","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-3198","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32716","https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d","https://vuldb.com/?ctiid.303151","https://vuldb.com/?id.303151","https://vuldb.com/?submit.545773","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-3198","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-3198","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-3198","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0034000000000000007},"relatedVulnerabilities":[{"id":"CVE-2025-3198","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-3198","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32716","https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d","https://vuldb.com/?ctiid.303151","https://vuldb.com/?id.303151","https://vuldb.com/?submit.545773","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-3198","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-3198","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-3198","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0034000000000000007},"relatedVulnerabilities":[{"id":"CVE-2025-3198","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-3198","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32716","https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d","https://vuldb.com/?ctiid.303151","https://vuldb.com/?id.303151","https://vuldb.com/?submit.545773","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-3198","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-3198","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-3198","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0034000000000000007},"relatedVulnerabilities":[{"id":"CVE-2025-3198","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-3198","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32716","https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d","https://vuldb.com/?ctiid.303151","https://vuldb.com/?id.303151","https://vuldb.com/?submit.545773","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-3198","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-3198","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-3198","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0034000000000000007},"relatedVulnerabilities":[{"id":"CVE-2025-3198","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-3198","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32716","https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d","https://vuldb.com/?ctiid.303151","https://vuldb.com/?id.303151","https://vuldb.com/?submit.545773","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-3198","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-3198","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-3198","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0034000000000000007},"relatedVulnerabilities":[{"id":"CVE-2025-3198","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-3198","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32716","https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d","https://vuldb.com/?ctiid.303151","https://vuldb.com/?id.303151","https://vuldb.com/?submit.545773","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-3198","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-3198","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-3198","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0034000000000000007},"relatedVulnerabilities":[{"id":"CVE-2025-3198","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-3198","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32716","https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d","https://vuldb.com/?ctiid.303151","https://vuldb.com/?id.303151","https://vuldb.com/?submit.545773","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-3198","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-3198","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-3198","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0034000000000000007},"relatedVulnerabilities":[{"id":"CVE-2025-3198","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-3198","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=32716","https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d","https://vuldb.com/?ctiid.303151","https://vuldb.com/?id.303151","https://vuldb.com/?submit.545773","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-3198","epss":0.00068,"percentile":0.20778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-3198","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-3198","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-25068","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-25068","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.","cvss":[{"source":"disclosure@vulncheck.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25068","epss":0.00007,"percentile":0.00525,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25068","cwe":"CWE-129","source":"disclosure@vulncheck.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0033599999999999997},"relatedVulnerabilities":[{"id":"CVE-2026-25068","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-25068","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40","https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow","https://lists.debian.org/debian-lts-announce/2026/02/msg00008.html"],"description":"alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.","cvss":[{"source":"disclosure@vulncheck.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25068","epss":0.00007,"percentile":0.00525,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25068","cwe":"CWE-129","source":"disclosure@vulncheck.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"alsa-lib","version":"1.2.14-1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-25068","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libasound2-data-c430a500bdd72298","name":"libasound2-data","version":"1.2.14-1+rpt1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libasound2-data:libasound2-data:1.2.14-1\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:libasound2-data:libasound2_data:1.2.14-1\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:libasound2_data:libasound2-data:1.2.14-1\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:libasound2_data:libasound2_data:1.2.14-1\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:libasound2:libasound2-data:1.2.14-1\\+rpt1:*:*:*:*:*:*:*","cpe:2.3:a:libasound2:libasound2_data:1.2.14-1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libasound2-data@1.2.14-1%2Brpt1?arch=all&distro=debian-13&upstream=alsa-lib","upstreams":[{"name":"alsa-lib"}]}},{"vulnerability":{"id":"CVE-2026-25068","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-25068","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.","cvss":[{"source":"disclosure@vulncheck.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25068","epss":0.00007,"percentile":0.00525,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25068","cwe":"CWE-129","source":"disclosure@vulncheck.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0033599999999999997},"relatedVulnerabilities":[{"id":"CVE-2026-25068","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-25068","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40","https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow","https://lists.debian.org/debian-lts-announce/2026/02/msg00008.html"],"description":"alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.","cvss":[{"source":"disclosure@vulncheck.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25068","epss":0.00007,"percentile":0.00525,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25068","cwe":"CWE-129","source":"disclosure@vulncheck.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"alsa-lib","version":"1.2.14-1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-25068","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libasound2t64-192714dfcc6d842e","name":"libasound2t64","version":"1.2.14-1+rpt1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libasound2t64:libasound2t64:1.2.14-1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libasound2t64@1.2.14-1%2Brpt1?arch=arm64&distro=debian-13&upstream=alsa-lib","upstreams":[{"name":"alsa-lib"}]}},{"vulnerability":{"id":"CVE-2026-25068","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-25068","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.","cvss":[{"source":"disclosure@vulncheck.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25068","epss":0.00007,"percentile":0.00525,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25068","cwe":"CWE-129","source":"disclosure@vulncheck.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0033599999999999997},"relatedVulnerabilities":[{"id":"CVE-2026-25068","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-25068","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40","https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow","https://lists.debian.org/debian-lts-announce/2026/02/msg00008.html"],"description":"alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.","cvss":[{"source":"disclosure@vulncheck.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25068","epss":0.00007,"percentile":0.00525,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25068","cwe":"CWE-129","source":"disclosure@vulncheck.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"alsa-lib","version":"1.2.14-1+rpt1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-25068","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libatopology2t64-ebf50bcf2fbbe9af","name":"libatopology2t64","version":"1.2.14-1+rpt1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libatopology2t64:libatopology2t64:1.2.14-1\\+rpt1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libatopology2t64@1.2.14-1%2Brpt1?arch=arm64&distro=debian-13&upstream=alsa-lib","upstreams":[{"name":"alsa-lib"}]}},{"vulnerability":{"id":"CVE-2025-1147","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1147","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00335},"relatedVulnerabilities":[{"id":"CVE-2025-1147","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1147","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15881","https://sourceware.org/bugzilla/show_bug.cgi?id=32556","https://vuldb.com/?ctiid.295051","https://vuldb.com/?id.295051","https://vuldb.com/?submit.485254","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0003/"],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1147","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1147","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1147","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00335},"relatedVulnerabilities":[{"id":"CVE-2025-1147","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1147","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15881","https://sourceware.org/bugzilla/show_bug.cgi?id=32556","https://vuldb.com/?ctiid.295051","https://vuldb.com/?id.295051","https://vuldb.com/?submit.485254","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0003/"],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1147","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1147","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1147","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00335},"relatedVulnerabilities":[{"id":"CVE-2025-1147","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1147","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15881","https://sourceware.org/bugzilla/show_bug.cgi?id=32556","https://vuldb.com/?ctiid.295051","https://vuldb.com/?id.295051","https://vuldb.com/?submit.485254","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0003/"],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1147","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1147","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1147","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00335},"relatedVulnerabilities":[{"id":"CVE-2025-1147","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1147","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15881","https://sourceware.org/bugzilla/show_bug.cgi?id=32556","https://vuldb.com/?ctiid.295051","https://vuldb.com/?id.295051","https://vuldb.com/?submit.485254","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0003/"],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1147","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1147","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1147","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00335},"relatedVulnerabilities":[{"id":"CVE-2025-1147","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1147","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15881","https://sourceware.org/bugzilla/show_bug.cgi?id=32556","https://vuldb.com/?ctiid.295051","https://vuldb.com/?id.295051","https://vuldb.com/?submit.485254","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0003/"],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1147","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1147","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1147","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00335},"relatedVulnerabilities":[{"id":"CVE-2025-1147","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1147","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15881","https://sourceware.org/bugzilla/show_bug.cgi?id=32556","https://vuldb.com/?ctiid.295051","https://vuldb.com/?id.295051","https://vuldb.com/?submit.485254","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0003/"],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1147","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1147","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1147","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00335},"relatedVulnerabilities":[{"id":"CVE-2025-1147","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1147","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15881","https://sourceware.org/bugzilla/show_bug.cgi?id=32556","https://vuldb.com/?ctiid.295051","https://vuldb.com/?id.295051","https://vuldb.com/?submit.485254","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0003/"],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1147","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1147","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1147","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00335},"relatedVulnerabilities":[{"id":"CVE-2025-1147","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1147","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15881","https://sourceware.org/bugzilla/show_bug.cgi?id=32556","https://vuldb.com/?ctiid.295051","https://vuldb.com/?id.295051","https://vuldb.com/?submit.485254","https://www.gnu.org/","https://security.netapp.com/advisory/ntap-20250404-0003/"],"description":"A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1147","epss":0.00067,"percentile":0.20552,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1147","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1147","cwe":"CWE-120","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1147","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-35388","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35388","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35388","epss":0.00012,"percentile":0.01778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35388","cwe":"CWE-420","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0033000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-35388","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35388","namespace":"nvd:cpe","severity":"Low","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35388","epss":0.00012,"percentile":0.01778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35388","cwe":"CWE-420","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35388","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-client-189572ddb2adaf11","name":"openssh-client","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_client:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_client:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-client@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-35388","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35388","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35388","epss":0.00012,"percentile":0.01778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35388","cwe":"CWE-420","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0033000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-35388","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35388","namespace":"nvd:cpe","severity":"Low","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35388","epss":0.00012,"percentile":0.01778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35388","cwe":"CWE-420","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35388","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-server-11e9b4f22003e3c7","name":"openssh-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_server:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2026-35388","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-35388","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35388","epss":0.00012,"percentile":0.01778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35388","cwe":"CWE-420","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0033000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-35388","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-35388","namespace":"nvd:cpe","severity":"Low","urls":["https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2","https://www.openssh.org/releasenotes.html#10.3p1","https://www.openwall.com/lists/oss-security/2026/04/02/3"],"description":"OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-35388","epss":0.00012,"percentile":0.01778,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-35388","cwe":"CWE-420","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssh","version":"1:10.0p1-7+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-35388","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-openssh-sftp-server-1a0a5aeeb1bded26","name":"openssh-sftp-server","version":"1:10.0p1-7+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat-with-advertising-restriction AND LicenseRef-Mazieres-BSD-style AND LicenseRef-OpenSSH AND LicenseRef-Powell-BSD-style AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:openssh-sftp-server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp-server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp_server:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh-sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh_sftp:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh-sftp-server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:openssh:openssh_sftp_server:1\\:10.0p1-7\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/openssh-sftp-server@1%3A10.0p1-7%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=openssh","upstreams":[{"name":"openssh"}]}},{"vulnerability":{"id":"CVE-2025-68276","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68276","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68276","epss":0.00006,"percentile":0.00314,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68276","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00315},"relatedVulnerabilities":[{"id":"CVE-2025-68276","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68276","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/ede7048475c5d47d53890e3bc1350dda8e0b3688","https://github.com/avahi/avahi/pull/806","https://github.com/avahi/avahi/security/advisories/GHSA-mhf3-865v-g5rc"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling\nthe RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68276","epss":0.00006,"percentile":0.00314,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68276","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68276","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-avahi-daemon-d209761e50802ac7","name":"avahi-daemon","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:avahi-daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi-daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi_daemon:avahi_daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi-daemon:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:avahi:avahi_daemon:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/avahi-daemon@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-68276","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68276","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68276","epss":0.00006,"percentile":0.00314,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68276","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00315},"relatedVulnerabilities":[{"id":"CVE-2025-68276","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68276","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/ede7048475c5d47d53890e3bc1350dda8e0b3688","https://github.com/avahi/avahi/pull/806","https://github.com/avahi/avahi/security/advisories/GHSA-mhf3-865v-g5rc"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling\nthe RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68276","epss":0.00006,"percentile":0.00314,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68276","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68276","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common-data-5cdf5a55d2d34a04","name":"libavahi-common-data","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common-data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common-data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common_data:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common:libavahi_common_data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common-data:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common_data:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common-data@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-68276","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68276","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68276","epss":0.00006,"percentile":0.00314,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68276","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00315},"relatedVulnerabilities":[{"id":"CVE-2025-68276","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68276","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/ede7048475c5d47d53890e3bc1350dda8e0b3688","https://github.com/avahi/avahi/pull/806","https://github.com/avahi/avahi/security/advisories/GHSA-mhf3-865v-g5rc"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling\nthe RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68276","epss":0.00006,"percentile":0.00314,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68276","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68276","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-common3-a28bb129f3d19912","name":"libavahi-common3","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_common3:libavahi_common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-common3:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_common3:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-common3@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2025-68276","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68276","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68276","epss":0.00006,"percentile":0.00314,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68276","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00315},"relatedVulnerabilities":[{"id":"CVE-2025-68276","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68276","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/avahi/avahi/commit/ede7048475c5d47d53890e3bc1350dda8e0b3688","https://github.com/avahi/avahi/pull/806","https://github.com/avahi/avahi/security/advisories/GHSA-mhf3-865v-g5rc"],"description":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling\nthe RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68276","epss":0.00006,"percentile":0.00314,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68276","cwe":"CWE-617","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"avahi","version":"0.8-16"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68276","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libavahi-core7-af273c4b4622548b","name":"libavahi-core7","version":"0.8-16","type":"deb","locations":null,"language":"","licenses":["GPL AND GPL-2.0-only AND LGPL-2.1-only"],"cpes":["cpe:2.3:a:libavahi-core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi-core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi_core7:libavahi_core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi-core7:0.8-16:*:*:*:*:*:*:*","cpe:2.3:a:libavahi:libavahi_core7:0.8-16:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libavahi-core7@0.8-16?arch=arm64&distro=debian-13&upstream=avahi","upstreams":[{"name":"avahi"}]}},{"vulnerability":{"id":"CVE-2026-28419","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28419","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28419","epss":0.00005,"percentile":0.00215,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28419","cwe":"CWE-124","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28419","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0029},"relatedVulnerabilities":[{"id":"CVE-2026-28419","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28419","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812","https://github.com/vim/vim/releases/tag/v9.2.0075","https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv","http://www.openwall.com/lists/oss-security/2026/02/27/8"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28419","epss":0.00005,"percentile":0.00215,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28419","cwe":"CWE-124","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28419","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28419","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28419","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28419","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28419","epss":0.00005,"percentile":0.00215,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28419","cwe":"CWE-124","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28419","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0029},"relatedVulnerabilities":[{"id":"CVE-2026-28419","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28419","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812","https://github.com/vim/vim/releases/tag/v9.2.0075","https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv","http://www.openwall.com/lists/oss-security/2026/02/27/8"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28419","epss":0.00005,"percentile":0.00215,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28419","cwe":"CWE-124","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28419","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28419","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28419","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28419","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28419","epss":0.00005,"percentile":0.00215,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28419","cwe":"CWE-124","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28419","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0029},"relatedVulnerabilities":[{"id":"CVE-2026-28419","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28419","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812","https://github.com/vim/vim/releases/tag/v9.2.0075","https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv","http://www.openwall.com/lists/oss-security/2026/02/27/8"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","metrics":{"baseScore":6.6,"exploitabilityScore":1.9,"impactScore":4.8},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28419","epss":0.00005,"percentile":0.00215,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28419","cwe":"CWE-124","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28419","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28419","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2017-18018","dataSource":"https://security-tracker.debian.org/tracker/CVE-2017-18018","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","cvss":[],"epss":[{"cve":"CVE-2017-18018","epss":0.00057,"percentile":0.17687,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-18018","cwe":"CWE-362","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2017-18018","cwe":"CWE-362","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00285},"relatedVulnerabilities":[{"id":"CVE-2017-18018","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-18018","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html"],"description":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:N/I:P/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-18018","epss":0.00057,"percentile":0.17687,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2017-18018","cwe":"CWE-362","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2017-18018","cwe":"CWE-362","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"coreutils","version":"9.7-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2017-18018","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-coreutils-2993da8365e6c3ce","name":"coreutils","version":"9.7-3","type":"deb","locations":null,"language":"","licenses":["BSD-4-Clause-UC AND FSFULLR AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-3.0-only AND GPL-3.0-or-later AND ISC"],"cpes":["cpe:2.3:a:coreutils:coreutils:9.7-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/coreutils@9.7-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-9390","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-9390","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-9390","epss":0.00056,"percentile":0.17295,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9390","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0028},"relatedVulnerabilities":[{"id":"CVE-2025-9390","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-9390","namespace":"nvd:cpe","severity":"Medium","urls":["https://drive.google.com/file/d/1JLnqrdcGsjUhbYzIEweXIGZyETjHlKtX/view?usp=sharing","https://github.com/vim/vim/commit/eeef7c77436a78cd27047b0f5fa6925d56de3cb0","https://github.com/vim/vim/issues/17944","https://github.com/vim/vim/pull/17947","https://github.com/vim/vim/releases/tag/v9.1.1616","https://vuldb.com/?ctiid.321223","https://vuldb.com/?id.321223","https://vuldb.com/?submit.630903"],"description":"A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-9390","epss":0.00056,"percentile":0.17295,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9390","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-9390","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2025-9390","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-9390","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-9390","epss":0.00056,"percentile":0.17295,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9390","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0028},"relatedVulnerabilities":[{"id":"CVE-2025-9390","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-9390","namespace":"nvd:cpe","severity":"Medium","urls":["https://drive.google.com/file/d/1JLnqrdcGsjUhbYzIEweXIGZyETjHlKtX/view?usp=sharing","https://github.com/vim/vim/commit/eeef7c77436a78cd27047b0f5fa6925d56de3cb0","https://github.com/vim/vim/issues/17944","https://github.com/vim/vim/pull/17947","https://github.com/vim/vim/releases/tag/v9.1.1616","https://vuldb.com/?ctiid.321223","https://vuldb.com/?id.321223","https://vuldb.com/?submit.630903"],"description":"A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-9390","epss":0.00056,"percentile":0.17295,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9390","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-9390","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2025-9390","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-9390","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-9390","epss":0.00056,"percentile":0.17295,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9390","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0028},"relatedVulnerabilities":[{"id":"CVE-2025-9390","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-9390","namespace":"nvd:cpe","severity":"Medium","urls":["https://drive.google.com/file/d/1JLnqrdcGsjUhbYzIEweXIGZyETjHlKtX/view?usp=sharing","https://github.com/vim/vim/commit/eeef7c77436a78cd27047b0f5fa6925d56de3cb0","https://github.com/vim/vim/issues/17944","https://github.com/vim/vim/pull/17947","https://github.com/vim/vim/releases/tag/v9.1.1616","https://vuldb.com/?ctiid.321223","https://vuldb.com/?id.321223","https://vuldb.com/?submit.630903"],"description":"A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-9390","epss":0.00056,"percentile":0.17295,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9390","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-9390","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-9390","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-6842","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6842","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or information disclosure if the launcher is subsequently processed.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6842","epss":0.0001,"percentile":0.01257,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6842","cwe":"CWE-732","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0027500000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-6842","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6842","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2026-6842","https://bugzilla.redhat.com/show_bug.cgi?id=2460018"],"description":"A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or information disclosure if the launcher is subsequently processed.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6842","epss":0.0001,"percentile":0.01257,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6842","cwe":"CWE-732","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"nano","version":"8.4-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6842","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-nano-0906c22c973e82bb","name":"nano","version":"8.4-1","type":"deb","locations":null,"language":"","licenses":["GFDL-1.2-only AND LicenseRef-GFDL-NIV- AND GPL-3.0-only AND GPL-3.0-or-later"],"cpes":["cpe:2.3:a:nano:nano:8.4-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/nano@8.4-1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2019-5062","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-5062","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.","cvss":[],"epss":[{"cve":"CVE-2019-5062","epss":0.00054,"percentile":0.16893,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-5062","cwe":"CWE-440","source":"talos-cna@cisco.com","type":"Secondary"},{"cve":"CVE-2019-5062","cwe":"CWE-346","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0027},"relatedVulnerabilities":[{"id":"CVE-2019-5062","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-5062","namespace":"nvd:cpe","severity":"Medium","urls":["https://talosintelligence.com/vulnerability_reports/TALOS-2019-0850"],"description":"An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:A/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":3.3,"exploitabilityScore":6.5,"impactScore":2.9},"vendorMetadata":{}},{"source":"talos-cna@cisco.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","metrics":{"baseScore":7.4,"exploitabilityScore":2.9,"impactScore":4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-5062","epss":0.00054,"percentile":0.16893,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2019-5062","cwe":"CWE-440","source":"talos-cna@cisco.com","type":"Secondary"},{"cve":"CVE-2019-5062","cwe":"CWE-346","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"wpa","version":"2:2.10-24"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-5062","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-wpasupplicant-f998381dada0f060","name":"wpasupplicant","version":"2:2.10-24","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND GPL-2.0-only AND ISC AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:wpasupplicant:wpasupplicant:2\\:2.10-24:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/wpasupplicant@2%3A2.10-24?arch=arm64&distro=debian-13&upstream=wpa","upstreams":[{"name":"wpa"}]}},{"vulnerability":{"id":"CVE-2026-4897","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4897","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4897","epss":0.00005,"percentile":0.0028,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4897","cwe":"CWE-770","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.002625},"relatedVulnerabilities":[{"id":"CVE-2026-4897","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4897","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4897","https://bugzilla.redhat.com/show_bug.cgi?id=2451739"],"description":"A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4897","epss":0.00005,"percentile":0.0028,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4897","cwe":"CWE-770","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"policykit-1","version":"126-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4897","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpolkit-agent-1-0-f1731eb7f133c36d","name":"libpolkit-agent-1-0","version":"126-2","type":"deb","locations":null,"language":"","licenses":["Expat AND LGPL-2.0-only AND LGPL-2.0-or-later"],"cpes":["cpe:2.3:a:libpolkit-agent-1-0:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-agent-1-0:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent_1_0:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent_1_0:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-agent-1:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-agent-1:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent_1:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent_1:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-agent:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-agent:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpolkit-agent-1-0@126-2?arch=arm64&distro=debian-13&upstream=policykit-1","upstreams":[{"name":"policykit-1"}]}},{"vulnerability":{"id":"CVE-2026-4897","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4897","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4897","epss":0.00005,"percentile":0.0028,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4897","cwe":"CWE-770","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.002625},"relatedVulnerabilities":[{"id":"CVE-2026-4897","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4897","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4897","https://bugzilla.redhat.com/show_bug.cgi?id=2451739"],"description":"A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4897","epss":0.00005,"percentile":0.0028,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4897","cwe":"CWE-770","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"policykit-1","version":"126-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4897","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpolkit-gobject-1-0-60e058e81a86de11","name":"libpolkit-gobject-1-0","version":"126-2","type":"deb","locations":null,"language":"","licenses":["Expat AND LGPL-2.0-only AND LGPL-2.0-or-later"],"cpes":["cpe:2.3:a:libpolkit-gobject-1-0:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-gobject-1-0:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject_1_0:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject_1_0:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-gobject-1:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-gobject-1:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject_1:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject_1:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-gobject:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-gobject:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpolkit-gobject-1-0@126-2?arch=arm64&distro=debian-13&upstream=policykit-1","upstreams":[{"name":"policykit-1"}]}},{"vulnerability":{"id":"CVE-2026-4897","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4897","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4897","epss":0.00005,"percentile":0.0028,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4897","cwe":"CWE-770","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.002625},"relatedVulnerabilities":[{"id":"CVE-2026-4897","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4897","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4897","https://bugzilla.redhat.com/show_bug.cgi?id=2451739"],"description":"A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4897","epss":0.00005,"percentile":0.0028,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4897","cwe":"CWE-770","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"policykit-1","version":"126-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4897","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-polkitd-c3c2e4a91a094c40","name":"polkitd","version":"126-2","type":"deb","locations":null,"language":"","licenses":["Expat AND LGPL-2.0-only AND LGPL-2.0-or-later"],"cpes":["cpe:2.3:a:polkitd:polkitd:126-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/polkitd@126-2?arch=arm64&distro=debian-13&upstream=policykit-1","upstreams":[{"name":"policykit-1"}]}},{"vulnerability":{"id":"CVE-2026-32776","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-32776","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-32776","epss":0.00005,"percentile":0.00277,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32776","cwe":"CWE-476","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002625},"relatedVulnerabilities":[{"id":"CVE-2026-32776","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-32776","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/libexpat/libexpat/pull/1158","https://github.com/libexpat/libexpat/pull/1159"],"description":"libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4,"exploitabilityScore":2.6,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-32776","epss":0.00005,"percentile":0.00277,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32776","cwe":"CWE-476","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"expat","version":"2.7.1-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-32776","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libexpat1-9fbfc999aa8bff3d","name":"libexpat1","version":"2.7.1-2","type":"deb","locations":null,"language":"","licenses":["MIT"],"cpes":["cpe:2.3:a:libexpat1:libexpat1:2.7.1-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libexpat1@2.7.1-2?arch=arm64&distro=debian-13&upstream=expat","upstreams":[{"name":"expat"}]}},{"vulnerability":{"id":"CVE-2026-32778","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-32778","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-32778","epss":0.00005,"percentile":0.00277,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32778","cwe":"CWE-476","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002625},"relatedVulnerabilities":[{"id":"CVE-2026-32778","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-32778","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/libexpat/libexpat/pull/1159","https://github.com/libexpat/libexpat/pull/1163"],"description":"libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-32778","epss":0.00005,"percentile":0.00277,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32778","cwe":"CWE-476","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"expat","version":"2.7.1-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-32778","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libexpat1-9fbfc999aa8bff3d","name":"libexpat1","version":"2.7.1-2","type":"deb","locations":null,"language":"","licenses":["MIT"],"cpes":["cpe:2.3:a:libexpat1:libexpat1:2.7.1-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libexpat1@2.7.1-2?arch=arm64&distro=debian-13&upstream=expat","upstreams":[{"name":"expat"}]}},{"vulnerability":{"id":"CVE-2026-25645","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-25645","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25645","epss":0.00005,"percentile":0.0024,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25645","cwe":"CWE-377","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002625},"relatedVulnerabilities":[{"id":"CVE-2026-25645","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-25645","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7","https://github.com/psf/requests/releases/tag/v2.33.0","https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2"],"description":"Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.4,"exploitabilityScore":0.8,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-25645","epss":0.00005,"percentile":0.0024,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-25645","cwe":"CWE-377","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"requests","version":"2.32.3+dfsg-5+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-25645","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3-requests-c83667bcfd4b53dc","name":"python3-requests","version":"2.32.3+dfsg-5+deb13u1","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-other"],"cpes":["cpe:2.3:a:python3-requests:python3-requests:2.32.3\\+dfsg-5\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3-requests:python3_requests:2.32.3\\+dfsg-5\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3_requests:python3-requests:2.32.3\\+dfsg-5\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3_requests:python3_requests:2.32.3\\+dfsg-5\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3-requests:2.32.3\\+dfsg-5\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3_requests:2.32.3\\+dfsg-5\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3-requests@2.32.3%2Bdfsg-5%2Bdeb13u1?arch=all&distro=debian-13&upstream=requests","upstreams":[{"name":"requests"}]}},{"vulnerability":{"id":"CVE-2026-32777","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-32777","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"libexpat before 2.7.5 allows an infinite loop while parsing DTD content.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-32777","epss":0.00005,"percentile":0.00228,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32777","cwe":"CWE-835","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002625},"relatedVulnerabilities":[{"id":"CVE-2026-32777","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-32777","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/libexpat/libexpat/issues/1161","https://github.com/libexpat/libexpat/pull/1159","https://github.com/libexpat/libexpat/pull/1162","https://issues.oss-fuzz.com/issues/486993411"],"description":"libexpat before 2.7.5 allows an infinite loop while parsing DTD content.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4,"exploitabilityScore":2.6,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-32777","epss":0.00005,"percentile":0.00228,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32777","cwe":"CWE-835","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"expat","version":"2.7.1-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-32777","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libexpat1-9fbfc999aa8bff3d","name":"libexpat1","version":"2.7.1-2","type":"deb","locations":null,"language":"","licenses":["MIT"],"cpes":["cpe:2.3:a:libexpat1:libexpat1:2.7.1-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libexpat1@2.7.1-2?arch=arm64&distro=debian-13&upstream=expat","upstreams":[{"name":"expat"}]}},{"vulnerability":{"id":"CVE-2026-4519","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4519","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"The webbrowser.open() API would accept leading dashes in the URL which  could be handled as command line options for certain web browsers. New  behavior rejects leading dashes. Users are recommended to sanitize URLs  prior to passing to webbrowser.open().","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4519","epss":0.00008,"percentile":0.00806,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4519","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00252},"relatedVulnerabilities":[{"id":"CVE-2026-4519","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4519","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd","https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866","https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e","https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1","https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b","https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4","https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76","https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c","https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5","https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48","https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932","https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03","https://github.com/python/cpython/issues/143930","https://github.com/python/cpython/pull/143931","https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/","http://www.openwall.com/lists/oss-security/2026/03/20/1"],"description":"The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open().","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4519","epss":0.00008,"percentile":0.00806,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4519","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4519","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-4519","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4519","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"The webbrowser.open() API would accept leading dashes in the URL which  could be handled as command line options for certain web browsers. New  behavior rejects leading dashes. Users are recommended to sanitize URLs  prior to passing to webbrowser.open().","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4519","epss":0.00008,"percentile":0.00806,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4519","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00252},"relatedVulnerabilities":[{"id":"CVE-2026-4519","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4519","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd","https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866","https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e","https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1","https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b","https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4","https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76","https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c","https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5","https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48","https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932","https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03","https://github.com/python/cpython/issues/143930","https://github.com/python/cpython/pull/143931","https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/","http://www.openwall.com/lists/oss-security/2026/03/20/1"],"description":"The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open().","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4519","epss":0.00008,"percentile":0.00806,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4519","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4519","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-4519","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4519","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"The webbrowser.open() API would accept leading dashes in the URL which  could be handled as command line options for certain web browsers. New  behavior rejects leading dashes. Users are recommended to sanitize URLs  prior to passing to webbrowser.open().","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4519","epss":0.00008,"percentile":0.00806,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4519","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00252},"relatedVulnerabilities":[{"id":"CVE-2026-4519","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4519","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd","https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866","https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e","https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1","https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b","https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4","https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76","https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c","https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5","https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48","https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932","https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03","https://github.com/python/cpython/issues/143930","https://github.com/python/cpython/pull/143931","https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/","http://www.openwall.com/lists/oss-security/2026/03/20/1"],"description":"The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open().","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4519","epss":0.00008,"percentile":0.00806,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4519","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4519","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-4519","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4519","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"The webbrowser.open() API would accept leading dashes in the URL which  could be handled as command line options for certain web browsers. New  behavior rejects leading dashes. Users are recommended to sanitize URLs  prior to passing to webbrowser.open().","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4519","epss":0.00008,"percentile":0.00806,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4519","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00252},"relatedVulnerabilities":[{"id":"CVE-2026-4519","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4519","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd","https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866","https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e","https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1","https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b","https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4","https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76","https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c","https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5","https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48","https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932","https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03","https://github.com/python/cpython/issues/143930","https://github.com/python/cpython/pull/143931","https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/","http://www.openwall.com/lists/oss-security/2026/03/20/1"],"description":"The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open().","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4519","epss":0.00008,"percentile":0.00806,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4519","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4519","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-70873","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-70873","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.","cvss":[],"epss":[{"cve":"CVE-2025-70873","epss":0.0005,"percentile":0.15322,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-70873","cwe":"CWE-244","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0025},"relatedVulnerabilities":[{"id":"CVE-2025-70873","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-70873","namespace":"nvd:cpe","severity":"High","urls":["https://gist.github.com/cnwangjihe/f496393f30f5ecec5b18c8f5ab072054","https://sqlite.org/forum/forumpost/761eac3c82","https://sqlite.org/src/info/3d459f1fb1bd1b5e"],"description":"An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-70873","epss":0.0005,"percentile":0.15322,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-70873","cwe":"CWE-244","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"sqlite3","version":"3.46.1-7+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-70873","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsqlite3-0-9f6b91e17f2f8e97","name":"libsqlite3-0","version":"3.46.1-7+deb13u1","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsqlite3-0:libsqlite3-0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsqlite3-0:libsqlite3_0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsqlite3_0:libsqlite3-0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsqlite3_0:libsqlite3_0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsqlite3:libsqlite3-0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsqlite3:libsqlite3_0:3.46.1-7\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsqlite3-0@3.46.1-7%2Bdeb13u1?arch=arm64&distro=debian-13&upstream=sqlite3","upstreams":[{"name":"sqlite3"}]}},{"vulnerability":{"id":"CVE-2025-66864","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66864","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00245},"relatedVulnerabilities":[{"id":"CVE-2025-66864","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66864","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66864","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-66864","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66864","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00245},"relatedVulnerabilities":[{"id":"CVE-2025-66864","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66864","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66864","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66864","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66864","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00245},"relatedVulnerabilities":[{"id":"CVE-2025-66864","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66864","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66864","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66864","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66864","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00245},"relatedVulnerabilities":[{"id":"CVE-2025-66864","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66864","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66864","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66864","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66864","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00245},"relatedVulnerabilities":[{"id":"CVE-2025-66864","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66864","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66864","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66864","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66864","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00245},"relatedVulnerabilities":[{"id":"CVE-2025-66864","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66864","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66864","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66864","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66864","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00245},"relatedVulnerabilities":[{"id":"CVE-2025-66864","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66864","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66864","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66864","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66864","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00245},"relatedVulnerabilities":[{"id":"CVE-2025-66864","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66864","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md"],"description":"An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66864","epss":0.00049,"percentile":0.15042,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66864","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66864","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-68972","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68972","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002425},"relatedVulnerabilities":[{"id":"CVE-2025-68972","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68972","namespace":"nvd:cpe","severity":"Medium","urls":["https://gpg.fail/formfeed","https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i","https://news.ycombinator.com/item?id=46404339"],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.5,"impactScore":4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68972","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-dirmngr-1503f6714851f186","name":"dirmngr","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:dirmngr:dirmngr:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/dirmngr@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2025-68972","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68972","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002425},"relatedVulnerabilities":[{"id":"CVE-2025-68972","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68972","namespace":"nvd:cpe","severity":"Medium","urls":["https://gpg.fail/formfeed","https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i","https://news.ycombinator.com/item?id=46404339"],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.5,"impactScore":4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68972","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gnupg-e708db6544496117","name":"gnupg","version":"2.4.7-21+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gnupg:gnupg:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gnupg@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2","upstreams":[{"name":"gnupg2"}]}},{"vulnerability":{"id":"CVE-2025-68972","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68972","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002425},"relatedVulnerabilities":[{"id":"CVE-2025-68972","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68972","namespace":"nvd:cpe","severity":"Medium","urls":["https://gpg.fail/formfeed","https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i","https://news.ycombinator.com/item?id=46404339"],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.5,"impactScore":4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68972","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gnupg-l10n-aecb683b9f0b939d","name":"gnupg-l10n","version":"2.4.7-21+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gnupg-l10n:gnupg-l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg-l10n:gnupg_l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_l10n:gnupg-l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_l10n:gnupg_l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg-l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg_l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gnupg-l10n@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2","upstreams":[{"name":"gnupg2"}]}},{"vulnerability":{"id":"CVE-2025-68972","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68972","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002425},"relatedVulnerabilities":[{"id":"CVE-2025-68972","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68972","namespace":"nvd:cpe","severity":"Medium","urls":["https://gpg.fail/formfeed","https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i","https://news.ycombinator.com/item?id=46404339"],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.5,"impactScore":4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68972","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gnupg-utils-41247e5942d68018","name":"gnupg-utils","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gnupg-utils:gnupg-utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg-utils:gnupg_utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_utils:gnupg-utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_utils:gnupg_utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg-utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg_utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gnupg-utils@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2025-68972","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68972","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002425},"relatedVulnerabilities":[{"id":"CVE-2025-68972","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68972","namespace":"nvd:cpe","severity":"Medium","urls":["https://gpg.fail/formfeed","https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i","https://news.ycombinator.com/item?id=46404339"],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.5,"impactScore":4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68972","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpg-cd637b4dec7be710","name":"gpg","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpg:gpg:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpg@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2025-68972","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68972","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002425},"relatedVulnerabilities":[{"id":"CVE-2025-68972","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68972","namespace":"nvd:cpe","severity":"Medium","urls":["https://gpg.fail/formfeed","https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i","https://news.ycombinator.com/item?id=46404339"],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.5,"impactScore":4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68972","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpg-agent-4576e24fc7cc8670","name":"gpg-agent","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpg-agent:gpg-agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-agent:gpg_agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_agent:gpg-agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_agent:gpg_agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg-agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg_agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpg-agent@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2025-68972","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68972","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002425},"relatedVulnerabilities":[{"id":"CVE-2025-68972","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68972","namespace":"nvd:cpe","severity":"Medium","urls":["https://gpg.fail/formfeed","https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i","https://news.ycombinator.com/item?id=46404339"],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.5,"impactScore":4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68972","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpg-wks-client-6b2180724711c171","name":"gpg-wks-client","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpg-wks-client:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-wks-client:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks_client:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks_client:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-wks:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-wks:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpg-wks-client@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2025-68972","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68972","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002425},"relatedVulnerabilities":[{"id":"CVE-2025-68972","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68972","namespace":"nvd:cpe","severity":"Medium","urls":["https://gpg.fail/formfeed","https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i","https://news.ycombinator.com/item?id=46404339"],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.5,"impactScore":4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68972","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpgconf-3b5f9b632f61a80b","name":"gpgconf","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpgconf:gpgconf:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpgconf@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2025-68972","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68972","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002425},"relatedVulnerabilities":[{"id":"CVE-2025-68972","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68972","namespace":"nvd:cpe","severity":"Medium","urls":["https://gpg.fail/formfeed","https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i","https://news.ycombinator.com/item?id=46404339"],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.5,"impactScore":4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68972","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpgsm-fc93e5f8d49a08ff","name":"gpgsm","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpgsm:gpgsm:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpgsm@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2025-68972","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-68972","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.002425},"relatedVulnerabilities":[{"id":"CVE-2025-68972","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-68972","namespace":"nvd:cpe","severity":"Medium","urls":["https://gpg.fail/formfeed","https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i","https://news.ycombinator.com/item?id=46404339"],"description":"In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.5,"impactScore":4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-68972","epss":0.00005,"percentile":0.0025,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-68972","cwe":"CWE-347","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-68972","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpgv-747a9fedcf815a7f","name":"gpgv","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpgv:gpgv:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpgv@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2025-1149","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1149","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1149","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1149","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295053","https://vuldb.com/?id.295053","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1149","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1150","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1150","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1150","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1150","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295054","https://vuldb.com/?id.295054","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1150","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1151","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1151","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1151","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1151","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295055","https://vuldb.com/?id.295055","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1151","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1152","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1152","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1152","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1152","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295056","https://vuldb.com/?id.295056","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1152","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-1149","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1149","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1149","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1149","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295053","https://vuldb.com/?id.295053","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1149","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1150","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1150","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1150","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1150","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295054","https://vuldb.com/?id.295054","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1150","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1151","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1151","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1151","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1151","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295055","https://vuldb.com/?id.295055","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1151","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1152","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1152","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1152","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1152","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295056","https://vuldb.com/?id.295056","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1152","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1149","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1149","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1149","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1149","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295053","https://vuldb.com/?id.295053","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1149","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1150","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1150","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1150","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1150","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295054","https://vuldb.com/?id.295054","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1150","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1151","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1151","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1151","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1151","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295055","https://vuldb.com/?id.295055","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1151","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1152","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1152","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1152","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1152","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295056","https://vuldb.com/?id.295056","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1152","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1149","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1149","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1149","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1149","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295053","https://vuldb.com/?id.295053","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1149","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1150","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1150","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1150","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1150","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295054","https://vuldb.com/?id.295054","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1150","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1151","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1151","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1151","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1151","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295055","https://vuldb.com/?id.295055","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1151","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1152","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1152","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1152","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1152","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295056","https://vuldb.com/?id.295056","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1152","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1149","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1149","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1149","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1149","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295053","https://vuldb.com/?id.295053","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1149","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1150","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1150","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1150","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1150","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295054","https://vuldb.com/?id.295054","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1150","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1151","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1151","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1151","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1151","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295055","https://vuldb.com/?id.295055","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1151","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1152","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1152","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1152","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1152","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295056","https://vuldb.com/?id.295056","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1152","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1149","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1149","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1149","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1149","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295053","https://vuldb.com/?id.295053","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1149","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1150","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1150","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1150","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1150","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295054","https://vuldb.com/?id.295054","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1150","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1151","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1151","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1151","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1151","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295055","https://vuldb.com/?id.295055","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1151","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1152","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1152","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1152","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1152","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295056","https://vuldb.com/?id.295056","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1152","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1149","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1149","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1149","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1149","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295053","https://vuldb.com/?id.295053","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1149","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1150","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1150","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1150","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1150","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295054","https://vuldb.com/?id.295054","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1150","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1151","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1151","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1151","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1151","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295055","https://vuldb.com/?id.295055","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1151","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1152","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1152","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1152","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1152","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295056","https://vuldb.com/?id.295056","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1152","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1149","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1149","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1149","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1149","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295053","https://vuldb.com/?id.295053","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1149","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1149","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1149","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1149","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1150","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1150","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1150","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1150","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295054","https://vuldb.com/?id.295054","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1150","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1150","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1150","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1151","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1151","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1151","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1151","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295055","https://vuldb.com/?id.295055","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1151","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1151","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1151","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1152","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1152","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0024000000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-1152","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1152","namespace":"nvd:cpe","severity":"Low","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15887","https://sourceware.org/bugzilla/show_bug.cgi?id=32576","https://vuldb.com/?ctiid.295056","https://vuldb.com/?id.295056","https://www.gnu.org/"],"description":"A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.3},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.1,"exploitabilityScore":1.7,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:N/AC:H/Au:N/C:N/I:N/A:P","metrics":{"baseScore":2.6,"exploitabilityScore":5,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1152","epss":0.00048,"percentile":0.14838,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1152","cwe":"CWE-401","source":"nvd@nist.gov","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1152","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-28420","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28420","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28420","epss":0.00005,"percentile":0.00251,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28420","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28420","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00235},"relatedVulnerabilities":[{"id":"CVE-2026-28420","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28420","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/bb6de2105b160e729c34063","https://github.com/vim/vim/releases/tag/v9.2.0076","https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg","http://www.openwall.com/lists/oss-security/2026/02/27/9"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28420","epss":0.00005,"percentile":0.00251,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28420","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28420","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28420","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28420","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28420","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28420","epss":0.00005,"percentile":0.00251,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28420","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28420","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00235},"relatedVulnerabilities":[{"id":"CVE-2026-28420","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28420","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/bb6de2105b160e729c34063","https://github.com/vim/vim/releases/tag/v9.2.0076","https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg","http://www.openwall.com/lists/oss-security/2026/02/27/9"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28420","epss":0.00005,"percentile":0.00251,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28420","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28420","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28420","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28420","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28420","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28420","epss":0.00005,"percentile":0.00251,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28420","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28420","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00235},"relatedVulnerabilities":[{"id":"CVE-2026-28420","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28420","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/bb6de2105b160e729c34063","https://github.com/vim/vim/releases/tag/v9.2.0076","https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg","http://www.openwall.com/lists/oss-security/2026/02/27/9"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28420","epss":0.00005,"percentile":0.00251,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28420","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28420","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28420","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2025-69649","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69649","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0022500000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69649","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69649","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33697","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66"],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69649","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-69649","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69649","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0022500000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69649","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69649","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33697","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66"],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69649","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69649","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69649","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0022500000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69649","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69649","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33697","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66"],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69649","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69649","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69649","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0022500000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69649","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69649","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33697","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66"],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69649","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69649","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69649","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0022500000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69649","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69649","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33697","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66"],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69649","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69649","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69649","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0022500000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69649","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69649","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33697","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66"],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69649","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69649","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69649","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0022500000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69649","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69649","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33697","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66"],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69649","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69649","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69649","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0022500000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69649","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69649","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33697","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66"],"description":"GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69649","epss":0.00045,"percentile":0.13579,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69649","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69649","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-4539","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4539","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":[{"source":"cna@vuldb.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4539","epss":0.00007,"percentile":0.00648,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4539","cwe":"CWE-400","source":"cna@vuldb.com","type":"Primary"},{"cve":"CVE-2026-4539","cwe":"CWE-1333","source":"cna@vuldb.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0022049999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-4539","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4539","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/pygments/pygments/","https://github.com/pygments/pygments/issues/3058","https://vuldb.com/?ctiid.352327","https://vuldb.com/?id.352327","https://vuldb.com/?submit.774685"],"description":"A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":[{"source":"cna@vuldb.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4539","epss":0.00007,"percentile":0.00648,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4539","cwe":"CWE-400","source":"cna@vuldb.com","type":"Primary"},{"cve":"CVE-2026-4539","cwe":"CWE-1333","source":"cna@vuldb.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"pygments","version":"2.18.0+dfsg-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4539","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3-pygments-548d379432457f75","name":"python3-pygments","version":"2.18.0+dfsg-2","type":"deb","locations":null,"language":"","licenses":["Apache-2.0 AND BSD-2-Clause AND LicenseRef-ISO-1986"],"cpes":["cpe:2.3:a:python3-pygments:python3-pygments:2.18.0\\+dfsg-2:*:*:*:*:*:*:*","cpe:2.3:a:python3-pygments:python3_pygments:2.18.0\\+dfsg-2:*:*:*:*:*:*:*","cpe:2.3:a:python3_pygments:python3-pygments:2.18.0\\+dfsg-2:*:*:*:*:*:*:*","cpe:2.3:a:python3_pygments:python3_pygments:2.18.0\\+dfsg-2:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3-pygments:2.18.0\\+dfsg-2:*:*:*:*:*:*:*","cpe:2.3:a:python3:python3_pygments:2.18.0\\+dfsg-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3-pygments@2.18.0%2Bdfsg-2?arch=all&distro=debian-13&upstream=pygments","upstreams":[{"name":"pygments"}]}},{"vulnerability":{"id":"CVE-2025-1372","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1372","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1372","epss":0.00043,"percentile":0.12883,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1372","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1372","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1372","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00215},"relatedVulnerabilities":[{"id":"CVE-2025-1372","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1372","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15927","https://sourceware.org/bugzilla/show_bug.cgi?id=32656","https://sourceware.org/bugzilla/show_bug.cgi?id=32656#c3","https://sourceware.org/bugzilla/show_bug.cgi?id=32657","https://vuldb.com/?ctiid.295981","https://vuldb.com/?id.295981","https://vuldb.com/?submit.496485","https://www.gnu.org/"],"description":"A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1372","epss":0.00043,"percentile":0.12883,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1372","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1372","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1372","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1372","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libdw1t64-c1ee80f31f7dbed2","name":"libdw1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libdw1t64:libdw1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libdw1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2025-1372","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1372","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1372","epss":0.00043,"percentile":0.12883,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1372","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1372","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1372","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00215},"relatedVulnerabilities":[{"id":"CVE-2025-1372","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1372","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15927","https://sourceware.org/bugzilla/show_bug.cgi?id=32656","https://sourceware.org/bugzilla/show_bug.cgi?id=32656#c3","https://sourceware.org/bugzilla/show_bug.cgi?id=32657","https://vuldb.com/?ctiid.295981","https://vuldb.com/?id.295981","https://vuldb.com/?submit.496485","https://www.gnu.org/"],"description":"A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1372","epss":0.00043,"percentile":0.12883,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1372","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1372","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1372","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1372","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libelf1t64-0cd60a52cc5d00d2","name":"libelf1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libelf1t64:libelf1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libelf1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2026-28418","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28418","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28418","epss":0.00004,"percentile":0.00203,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28418","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28418","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-28418","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28418","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb","https://github.com/vim/vim/releases/tag/v9.2.0074","https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j","http://www.openwall.com/lists/oss-security/2026/02/27/7"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28418","epss":0.00004,"percentile":0.00203,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28418","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28418","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28418","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28418","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28418","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28418","epss":0.00004,"percentile":0.00203,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28418","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28418","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-28418","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28418","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb","https://github.com/vim/vim/releases/tag/v9.2.0074","https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j","http://www.openwall.com/lists/oss-security/2026/02/27/7"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28418","epss":0.00004,"percentile":0.00203,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28418","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28418","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28418","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28418","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28418","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28418","epss":0.00004,"percentile":0.00203,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28418","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28418","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-28418","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28418","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb","https://github.com/vim/vim/releases/tag/v9.2.0074","https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j","http://www.openwall.com/lists/oss-security/2026/02/27/7"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.4,"exploitabilityScore":1.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28418","epss":0.00004,"percentile":0.00203,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28418","cwe":"CWE-122","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-28418","cwe":"CWE-125","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28418","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2025-60018","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-60018","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"glib-networking's OpenSSL backend fails to properly check the return value of a call to BIO_write(), resulting in an out of bounds read.","cvss":[],"epss":[{"cve":"CVE-2025-60018","epss":0.00042,"percentile":0.12812,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60018","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-60018","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-60018","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2025-60018","https://bugzilla.redhat.com/show_bug.cgi?id=2398135","https://gitlab.gnome.org/GNOME/glib-networking/-/issues/226"],"description":"glib-networking's OpenSSL backend fails to properly check the return value of a call to BIO_write(), resulting in an out of bounds read.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":4.8,"exploitabilityScore":2.3,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-60018","epss":0.00042,"percentile":0.12812,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60018","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib-networking","version":"2.80.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-60018","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-glib-networking-bf0f6ae664cbde32","name":"glib-networking","version":"2.80.1-1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:glib-networking:glib-networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib_networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib-networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib_networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib-networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib_networking:2.80.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/glib-networking@2.80.1-1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-60018","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-60018","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"glib-networking's OpenSSL backend fails to properly check the return value of a call to BIO_write(), resulting in an out of bounds read.","cvss":[],"epss":[{"cve":"CVE-2025-60018","epss":0.00042,"percentile":0.12812,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60018","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-60018","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-60018","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2025-60018","https://bugzilla.redhat.com/show_bug.cgi?id=2398135","https://gitlab.gnome.org/GNOME/glib-networking/-/issues/226"],"description":"glib-networking's OpenSSL backend fails to properly check the return value of a call to BIO_write(), resulting in an out of bounds read.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":4.8,"exploitabilityScore":2.3,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-60018","epss":0.00042,"percentile":0.12812,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60018","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib-networking","version":"2.80.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-60018","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-glib-networking-common-be064f536c9d2a66","name":"glib-networking-common","version":"2.80.1-1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:glib-networking-common:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking-common:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_common:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_common:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/glib-networking-common@2.80.1-1?arch=all&distro=debian-13&upstream=glib-networking","upstreams":[{"name":"glib-networking"}]}},{"vulnerability":{"id":"CVE-2025-60018","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-60018","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"glib-networking's OpenSSL backend fails to properly check the return value of a call to BIO_write(), resulting in an out of bounds read.","cvss":[],"epss":[{"cve":"CVE-2025-60018","epss":0.00042,"percentile":0.12812,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60018","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-60018","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-60018","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2025-60018","https://bugzilla.redhat.com/show_bug.cgi?id=2398135","https://gitlab.gnome.org/GNOME/glib-networking/-/issues/226"],"description":"glib-networking's OpenSSL backend fails to properly check the return value of a call to BIO_write(), resulting in an out of bounds read.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":4.8,"exploitabilityScore":2.3,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-60018","epss":0.00042,"percentile":0.12812,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60018","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib-networking","version":"2.80.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-60018","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-glib-networking-services-b92ebcebb892237e","name":"glib-networking-services","version":"2.80.1-1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:glib-networking-services:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking-services:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_services:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_services:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/glib-networking-services@2.80.1-1?arch=arm64&distro=debian-13&upstream=glib-networking","upstreams":[{"name":"glib-networking"}]}},{"vulnerability":{"id":"CVE-2013-4392","dataSource":"https://security-tracker.debian.org/tracker/CVE-2013-4392","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2013-4392","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2013-4392","namespace":"nvd:cpe","severity":"Low","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357","http://www.openwall.com/lists/oss-security/2013/10/01/9","https://bugzilla.redhat.com/show_bug.cgi?id=859060"],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":3.4,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2013-4392","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnss-systemd-ad7265eadb35cc00","name":"libnss-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libnss-systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss-systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss_systemd:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libnss:libnss_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnss-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2013-4392","dataSource":"https://security-tracker.debian.org/tracker/CVE-2013-4392","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2013-4392","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2013-4392","namespace":"nvd:cpe","severity":"Low","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357","http://www.openwall.com/lists/oss-security/2013/10/01/9","https://bugzilla.redhat.com/show_bug.cgi?id=859060"],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":3.4,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2013-4392","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpam-systemd-022f917bdf524182","name":"libpam-systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libpam-systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam-systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam_systemd:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam-systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libpam:libpam_systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpam-systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2013-4392","dataSource":"https://security-tracker.debian.org/tracker/CVE-2013-4392","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2013-4392","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2013-4392","namespace":"nvd:cpe","severity":"Low","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357","http://www.openwall.com/lists/oss-security/2013/10/01/9","https://bugzilla.redhat.com/show_bug.cgi?id=859060"],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":3.4,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2013-4392","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd-shared-b1ad66cbf61a8db5","name":"libsystemd-shared","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd-shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd-shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd_shared:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd-shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:libsystemd:libsystemd_shared:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd-shared@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2013-4392","dataSource":"https://security-tracker.debian.org/tracker/CVE-2013-4392","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2013-4392","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2013-4392","namespace":"nvd:cpe","severity":"Low","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357","http://www.openwall.com/lists/oss-security/2013/10/01/9","https://bugzilla.redhat.com/show_bug.cgi?id=859060"],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":3.4,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2013-4392","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsystemd0-2ebc906354bc0592","name":"libsystemd0","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsystemd0:libsystemd0:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2013-4392","dataSource":"https://security-tracker.debian.org/tracker/CVE-2013-4392","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2013-4392","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2013-4392","namespace":"nvd:cpe","severity":"Low","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357","http://www.openwall.com/lists/oss-security/2013/10/01/9","https://bugzilla.redhat.com/show_bug.cgi?id=859060"],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":3.4,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2013-4392","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libudev1-c6f7af268569b00a","name":"libudev1","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libudev1:libudev1:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2013-4392","dataSource":"https://security-tracker.debian.org/tracker/CVE-2013-4392","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2013-4392","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2013-4392","namespace":"nvd:cpe","severity":"Low","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357","http://www.openwall.com/lists/oss-security/2013/10/01/9","https://bugzilla.redhat.com/show_bug.cgi?id=859060"],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":3.4,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2013-4392","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-f903f3f27e740730","name":"systemd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd:systemd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd@257.9-1~deb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2013-4392","dataSource":"https://security-tracker.debian.org/tracker/CVE-2013-4392","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2013-4392","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2013-4392","namespace":"nvd:cpe","severity":"Low","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357","http://www.openwall.com/lists/oss-security/2013/10/01/9","https://bugzilla.redhat.com/show_bug.cgi?id=859060"],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":3.4,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2013-4392","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-cryptsetup-a05233fe9c9714fd","name":"systemd-cryptsetup","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_cryptsetup:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_cryptsetup:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-cryptsetup@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2013-4392","dataSource":"https://security-tracker.debian.org/tracker/CVE-2013-4392","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2013-4392","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2013-4392","namespace":"nvd:cpe","severity":"Low","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357","http://www.openwall.com/lists/oss-security/2013/10/01/9","https://bugzilla.redhat.com/show_bug.cgi?id=859060"],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":3.4,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2013-4392","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-sysv-10669ba5f85c6427","name":"systemd-sysv","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_sysv:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_sysv:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-sysv@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2013-4392","dataSource":"https://security-tracker.debian.org/tracker/CVE-2013-4392","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2013-4392","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2013-4392","namespace":"nvd:cpe","severity":"Low","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357","http://www.openwall.com/lists/oss-security/2013/10/01/9","https://bugzilla.redhat.com/show_bug.cgi?id=859060"],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":3.4,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2013-4392","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-systemd-timesyncd-6b431489698ee740","name":"systemd-timesyncd","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:systemd-timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd-timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd_timesyncd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd-timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:systemd:systemd_timesyncd:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/systemd-timesyncd@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2013-4392","dataSource":"https://security-tracker.debian.org/tracker/CVE-2013-4392","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0021000000000000003},"relatedVulnerabilities":[{"id":"CVE-2013-4392","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2013-4392","namespace":"nvd:cpe","severity":"Low","urls":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357","http://www.openwall.com/lists/oss-security/2013/10/01/9","https://bugzilla.redhat.com/show_bug.cgi?id=859060"],"description":"systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:P/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":3.4,"impactScore":5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2013-4392","epss":0.00042,"percentile":0.12586,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2013-4392","cwe":"CWE-59","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"systemd","version":"257.9-1~deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2013-4392","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-udev-b6036c3d10c9d62b","name":"udev","version":"257.9-1~deb13u1","type":"deb","locations":null,"language":"","licenses":["CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:udev:udev:257.9-1\\~deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/udev@257.9-1~deb13u1?arch=arm64&distro=debian-13&upstream=systemd","upstreams":[{"name":"systemd"}]}},{"vulnerability":{"id":"CVE-2025-11468","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11468","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.","cvss":[],"epss":[{"cve":"CVE-2025-11468","epss":0.00039,"percentile":0.11561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11468","cwe":"CWE-93","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00195},"relatedVulnerabilities":[{"id":"CVE-2025-11468","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11468","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/003b8315669b9f08b1010a49071f73f15f818094","https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2","https://github.com/python/cpython/commit/61614a5e5056e4f61ced65008d4576f3df34acb6","https://github.com/python/cpython/commit/a76e4cd62dd68e7cbe86e37e6ed988495a646b66","https://github.com/python/cpython/commit/e9970f077240c7c670e8a6fc6662f2b30d3b6ad0","https://github.com/python/cpython/commit/f738386838021c762efea6c9802c82de65e87796","https://github.com/python/cpython/issues/143935","https://github.com/python/cpython/pull/143936","https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/"],"description":"When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11468","epss":0.00039,"percentile":0.11561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11468","cwe":"CWE-93","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11468","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-11468","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11468","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.","cvss":[],"epss":[{"cve":"CVE-2025-11468","epss":0.00039,"percentile":0.11561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11468","cwe":"CWE-93","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00195},"relatedVulnerabilities":[{"id":"CVE-2025-11468","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11468","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/003b8315669b9f08b1010a49071f73f15f818094","https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2","https://github.com/python/cpython/commit/61614a5e5056e4f61ced65008d4576f3df34acb6","https://github.com/python/cpython/commit/a76e4cd62dd68e7cbe86e37e6ed988495a646b66","https://github.com/python/cpython/commit/e9970f077240c7c670e8a6fc6662f2b30d3b6ad0","https://github.com/python/cpython/commit/f738386838021c762efea6c9802c82de65e87796","https://github.com/python/cpython/issues/143935","https://github.com/python/cpython/pull/143936","https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/"],"description":"When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11468","epss":0.00039,"percentile":0.11561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11468","cwe":"CWE-93","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11468","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-11468","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11468","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.","cvss":[],"epss":[{"cve":"CVE-2025-11468","epss":0.00039,"percentile":0.11561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11468","cwe":"CWE-93","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00195},"relatedVulnerabilities":[{"id":"CVE-2025-11468","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11468","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/003b8315669b9f08b1010a49071f73f15f818094","https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2","https://github.com/python/cpython/commit/61614a5e5056e4f61ced65008d4576f3df34acb6","https://github.com/python/cpython/commit/a76e4cd62dd68e7cbe86e37e6ed988495a646b66","https://github.com/python/cpython/commit/e9970f077240c7c670e8a6fc6662f2b30d3b6ad0","https://github.com/python/cpython/commit/f738386838021c762efea6c9802c82de65e87796","https://github.com/python/cpython/issues/143935","https://github.com/python/cpython/pull/143936","https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/"],"description":"When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11468","epss":0.00039,"percentile":0.11561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11468","cwe":"CWE-93","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11468","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11468","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11468","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.","cvss":[],"epss":[{"cve":"CVE-2025-11468","epss":0.00039,"percentile":0.11561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11468","cwe":"CWE-93","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00195},"relatedVulnerabilities":[{"id":"CVE-2025-11468","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11468","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/003b8315669b9f08b1010a49071f73f15f818094","https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2","https://github.com/python/cpython/commit/61614a5e5056e4f61ced65008d4576f3df34acb6","https://github.com/python/cpython/commit/a76e4cd62dd68e7cbe86e37e6ed988495a646b66","https://github.com/python/cpython/commit/e9970f077240c7c670e8a6fc6662f2b30d3b6ad0","https://github.com/python/cpython/commit/f738386838021c762efea6c9802c82de65e87796","https://github.com/python/cpython/issues/143935","https://github.com/python/cpython/pull/143936","https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/"],"description":"When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":5.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11468","epss":0.00039,"percentile":0.11561,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11468","cwe":"CWE-93","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11468","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2025-9615","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-9615","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-9615","epss":0.00006,"percentile":0.00392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9615","cwe":"CWE-281","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0018899999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-9615","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-9615","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2025-9615","https://bugzilla.redhat.com/show_bug.cgi?id=2391503","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2327"],"description":"A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-9615","epss":0.00006,"percentile":0.00392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9615","cwe":"CWE-281","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"network-manager","version":"1.52.1-1+rpt4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-9615","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gir1.2-nm-1.0-caa631b5c8e4f559","name":"gir1.2-nm-1.0","version":"1.52.1-1+rpt4","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GFDL-NIV-1.1- AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:gir1.2-nm-1.0:gir1.2-nm-1.0:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-nm-1.0:gir1.2_nm_1.0:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_nm_1.0:gir1.2-nm-1.0:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_nm_1.0:gir1.2_nm_1.0:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-nm:gir1.2-nm-1.0:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-nm:gir1.2_nm_1.0:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_nm:gir1.2-nm-1.0:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_nm:gir1.2_nm_1.0:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2-nm-1.0:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2_nm_1.0:1.52.1-1\\+rpt4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gir1.2-nm-1.0@1.52.1-1%2Brpt4?arch=arm64&distro=debian-13&upstream=network-manager","upstreams":[{"name":"network-manager"}]}},{"vulnerability":{"id":"CVE-2025-9615","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-9615","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-9615","epss":0.00006,"percentile":0.00392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9615","cwe":"CWE-281","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0018899999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-9615","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-9615","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2025-9615","https://bugzilla.redhat.com/show_bug.cgi?id=2391503","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2327"],"description":"A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-9615","epss":0.00006,"percentile":0.00392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9615","cwe":"CWE-281","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"network-manager","version":"1.52.1-1+rpt4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-9615","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libnm0-e106a7a8aef9b417","name":"libnm0","version":"1.52.1-1+rpt4","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GFDL-NIV-1.1- AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:libnm0:libnm0:1.52.1-1\\+rpt4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libnm0@1.52.1-1%2Brpt4?arch=arm64&distro=debian-13&upstream=network-manager","upstreams":[{"name":"network-manager"}]}},{"vulnerability":{"id":"CVE-2025-9615","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-9615","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-9615","epss":0.00006,"percentile":0.00392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9615","cwe":"CWE-281","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0018899999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-9615","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-9615","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2025-9615","https://bugzilla.redhat.com/show_bug.cgi?id=2391503","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2327"],"description":"A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-9615","epss":0.00006,"percentile":0.00392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9615","cwe":"CWE-281","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"network-manager","version":"1.52.1-1+rpt4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-9615","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-network-manager-9f3c91a57c3874e0","name":"network-manager","version":"1.52.1-1+rpt4","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GFDL-NIV-1.1- AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:network-manager:network-manager:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network-manager:network_manager:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network_manager:network-manager:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network_manager:network_manager:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network:network-manager:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network:network_manager:1.52.1-1\\+rpt4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/network-manager@1.52.1-1%2Brpt4?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-9615","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-9615","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-9615","epss":0.00006,"percentile":0.00392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9615","cwe":"CWE-281","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0018899999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-9615","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-9615","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2025-9615","https://bugzilla.redhat.com/show_bug.cgi?id=2391503","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324","https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2327"],"description":"A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-9615","epss":0.00006,"percentile":0.00392,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-9615","cwe":"CWE-281","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"network-manager","version":"1.52.1-1+rpt4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-9615","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-network-manager-l10n-7d9ed898fb623a65","name":"network-manager-l10n","version":"1.52.1-1+rpt4","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GFDL-NIV-1.1- AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:network-manager-l10n:network-manager-l10n:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network-manager-l10n:network_manager_l10n:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network_manager_l10n:network-manager-l10n:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network_manager_l10n:network_manager_l10n:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network-manager:network-manager-l10n:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network-manager:network_manager_l10n:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network_manager:network-manager-l10n:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network_manager:network_manager_l10n:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network:network-manager-l10n:1.52.1-1\\+rpt4:*:*:*:*:*:*:*","cpe:2.3:a:network:network_manager_l10n:1.52.1-1\\+rpt4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/network-manager-l10n@1.52.1-1%2Brpt4?arch=all&distro=debian-13&upstream=network-manager","upstreams":[{"name":"network-manager"}]}},{"vulnerability":{"id":"CVE-2025-60019","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-60019","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"glib-networking's OpenSSL backend fails to properly check the return value of memory allocation routines. An out of memory condition could potentially result in writing to an invalid memory location.","cvss":[],"epss":[{"cve":"CVE-2025-60019","epss":0.00036,"percentile":0.10745,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60019","cwe":"CWE-476","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0018},"relatedVulnerabilities":[{"id":"CVE-2025-60019","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-60019","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2025-60019","https://bugzilla.redhat.com/show_bug.cgi?id=2398140","https://gitlab.gnome.org/GNOME/glib-networking/-/issues/227"],"description":"glib-networking's OpenSSL backend fails to properly check the return value of memory allocation routines. An out of memory condition could potentially result in writing to an invalid memory location.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-60019","epss":0.00036,"percentile":0.10745,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60019","cwe":"CWE-476","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib-networking","version":"2.80.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-60019","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-glib-networking-bf0f6ae664cbde32","name":"glib-networking","version":"2.80.1-1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:glib-networking:glib-networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib_networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib-networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib_networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib-networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib_networking:2.80.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/glib-networking@2.80.1-1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-60019","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-60019","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"glib-networking's OpenSSL backend fails to properly check the return value of memory allocation routines. An out of memory condition could potentially result in writing to an invalid memory location.","cvss":[],"epss":[{"cve":"CVE-2025-60019","epss":0.00036,"percentile":0.10745,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60019","cwe":"CWE-476","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0018},"relatedVulnerabilities":[{"id":"CVE-2025-60019","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-60019","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2025-60019","https://bugzilla.redhat.com/show_bug.cgi?id=2398140","https://gitlab.gnome.org/GNOME/glib-networking/-/issues/227"],"description":"glib-networking's OpenSSL backend fails to properly check the return value of memory allocation routines. An out of memory condition could potentially result in writing to an invalid memory location.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-60019","epss":0.00036,"percentile":0.10745,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60019","cwe":"CWE-476","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib-networking","version":"2.80.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-60019","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-glib-networking-common-be064f536c9d2a66","name":"glib-networking-common","version":"2.80.1-1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:glib-networking-common:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking-common:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_common:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_common:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/glib-networking-common@2.80.1-1?arch=all&distro=debian-13&upstream=glib-networking","upstreams":[{"name":"glib-networking"}]}},{"vulnerability":{"id":"CVE-2025-60019","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-60019","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"glib-networking's OpenSSL backend fails to properly check the return value of memory allocation routines. An out of memory condition could potentially result in writing to an invalid memory location.","cvss":[],"epss":[{"cve":"CVE-2025-60019","epss":0.00036,"percentile":0.10745,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60019","cwe":"CWE-476","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0018},"relatedVulnerabilities":[{"id":"CVE-2025-60019","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-60019","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2025-60019","https://bugzilla.redhat.com/show_bug.cgi?id=2398140","https://gitlab.gnome.org/GNOME/glib-networking/-/issues/227"],"description":"glib-networking's OpenSSL backend fails to properly check the return value of memory allocation routines. An out of memory condition could potentially result in writing to an invalid memory location.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-60019","epss":0.00036,"percentile":0.10745,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-60019","cwe":"CWE-476","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib-networking","version":"2.80.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-60019","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-glib-networking-services-b92ebcebb892237e","name":"glib-networking-services","version":"2.80.1-1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:glib-networking-services:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking-services:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_services:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_services:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/glib-networking-services@2.80.1-1?arch=arm64&distro=debian-13&upstream=glib-networking","upstreams":[{"name":"glib-networking"}]}},{"vulnerability":{"id":"CVE-2025-15079","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15079","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.","cvss":[],"epss":[{"cve":"CVE-2025-15079","epss":0.00035,"percentile":0.10257,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15079","cwe":"CWE-297","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0017500000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-15079","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15079","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-15079.html","https://curl.se/docs/CVE-2025-15079.json","https://hackerone.com/reports/3477116","http://www.openwall.com/lists/oss-security/2026/01/07/6"],"description":"When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15079","epss":0.00035,"percentile":0.10257,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15079","cwe":"CWE-297","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15079","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-15079","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15079","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.","cvss":[],"epss":[{"cve":"CVE-2025-15079","epss":0.00035,"percentile":0.10257,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15079","cwe":"CWE-297","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0017500000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-15079","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15079","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-15079.html","https://curl.se/docs/CVE-2025-15079.json","https://hackerone.com/reports/3477116","http://www.openwall.com/lists/oss-security/2026/01/07/6"],"description":"When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15079","epss":0.00035,"percentile":0.10257,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15079","cwe":"CWE-297","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15079","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2025-15079","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-15079","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.","cvss":[],"epss":[{"cve":"CVE-2025-15079","epss":0.00035,"percentile":0.10257,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15079","cwe":"CWE-297","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0017500000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-15079","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-15079","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-15079.html","https://curl.se/docs/CVE-2025-15079.json","https://hackerone.com/reports/3477116","http://www.openwall.com/lists/oss-security/2026/01/07/6"],"description":"When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-15079","epss":0.00035,"percentile":0.10257,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-15079","cwe":"CWE-297","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-15079","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-4224","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4224","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.","cvss":[],"epss":[{"cve":"CVE-2026-4224","epss":0.00035,"percentile":0.10092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4224","cwe":"CWE-674","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0017500000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-4224","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4224","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a","https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785","https://github.com/python/cpython/commit/af856a7177326ac25d9f66cc6dd28b554d914fee","https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3","https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768","https://github.com/python/cpython/issues/145986","https://github.com/python/cpython/pull/145987","https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/","http://www.openwall.com/lists/oss-security/2026/03/16/4"],"description":"When an Expat parser with a registered ElementDeclHandler parses an inline\ndocument type definition containing a deeply nested content model a C stack\noverflow occurs.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4224","epss":0.00035,"percentile":0.10092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4224","cwe":"CWE-674","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4224","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-4224","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4224","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.","cvss":[],"epss":[{"cve":"CVE-2026-4224","epss":0.00035,"percentile":0.10092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4224","cwe":"CWE-674","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0017500000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-4224","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4224","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a","https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785","https://github.com/python/cpython/commit/af856a7177326ac25d9f66cc6dd28b554d914fee","https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3","https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768","https://github.com/python/cpython/issues/145986","https://github.com/python/cpython/pull/145987","https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/","http://www.openwall.com/lists/oss-security/2026/03/16/4"],"description":"When an Expat parser with a registered ElementDeclHandler parses an inline\ndocument type definition containing a deeply nested content model a C stack\noverflow occurs.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4224","epss":0.00035,"percentile":0.10092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4224","cwe":"CWE-674","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4224","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-4224","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4224","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.","cvss":[],"epss":[{"cve":"CVE-2026-4224","epss":0.00035,"percentile":0.10092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4224","cwe":"CWE-674","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0017500000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-4224","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4224","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a","https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785","https://github.com/python/cpython/commit/af856a7177326ac25d9f66cc6dd28b554d914fee","https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3","https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768","https://github.com/python/cpython/issues/145986","https://github.com/python/cpython/pull/145987","https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/","http://www.openwall.com/lists/oss-security/2026/03/16/4"],"description":"When an Expat parser with a registered ElementDeclHandler parses an inline\ndocument type definition containing a deeply nested content model a C stack\noverflow occurs.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4224","epss":0.00035,"percentile":0.10092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4224","cwe":"CWE-674","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4224","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-4224","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4224","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.","cvss":[],"epss":[{"cve":"CVE-2026-4224","epss":0.00035,"percentile":0.10092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4224","cwe":"CWE-674","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0017500000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-4224","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4224","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a","https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785","https://github.com/python/cpython/commit/af856a7177326ac25d9f66cc6dd28b554d914fee","https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3","https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768","https://github.com/python/cpython/issues/145986","https://github.com/python/cpython/pull/145987","https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/","http://www.openwall.com/lists/oss-security/2026/03/16/4"],"description":"When an Expat parser with a registered ElementDeclHandler parses an inline\ndocument type definition containing a deeply nested content model a C stack\noverflow occurs.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4224","epss":0.00035,"percentile":0.10092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4224","cwe":"CWE-674","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4224","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-1485","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1485","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.8,"exploitabilityScore":1.4,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1485","epss":0.00006,"percentile":0.00348,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1485","cwe":"CWE-124","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00174},"relatedVulnerabilities":[{"id":"CVE-2026-1485","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1485","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2026-1485","https://bugzilla.redhat.com/show_bug.cgi?id=2433325","https://gitlab.gnome.org/GNOME/glib/-/issues/3871"],"description":"A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.8,"exploitabilityScore":1.4,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1485","epss":0.00006,"percentile":0.00348,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1485","cwe":"CWE-124","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1485","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gir1.2-glib-2.0-e0776636faa7c9e3","name":"gir1.2-glib-2.0","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:gir1.2-glib-2.0:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib-2.0:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib_2.0:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib_2.0:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2-glib:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2_glib:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2-glib-2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:gir1.2:gir1.2_glib_2.0:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gir1.2-glib-2.0@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-1485","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1485","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.8,"exploitabilityScore":1.4,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1485","epss":0.00006,"percentile":0.00348,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1485","cwe":"CWE-124","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00174},"relatedVulnerabilities":[{"id":"CVE-2026-1485","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1485","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2026-1485","https://bugzilla.redhat.com/show_bug.cgi?id=2433325","https://gitlab.gnome.org/GNOME/glib/-/issues/3871"],"description":"A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.8,"exploitabilityScore":1.4,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1485","epss":0.00006,"percentile":0.00348,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1485","cwe":"CWE-124","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1485","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-0t64-eefae290723bdc16","name":"libglib2.0-0t64","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-0t64:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-0t64:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_0t64:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_0t64:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_0t64:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-1485","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1485","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.8,"exploitabilityScore":1.4,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1485","epss":0.00006,"percentile":0.00348,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1485","cwe":"CWE-124","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00174},"relatedVulnerabilities":[{"id":"CVE-2026-1485","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1485","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2026-1485","https://bugzilla.redhat.com/show_bug.cgi?id=2433325","https://gitlab.gnome.org/GNOME/glib/-/issues/3871"],"description":"A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.8,"exploitabilityScore":1.4,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1485","epss":0.00006,"percentile":0.00348,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1485","cwe":"CWE-124","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1485","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-bin-cfa6976752b86f25","name":"libglib2.0-bin","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-bin:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-bin:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_bin:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_bin:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_bin:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-bin@2.84.4-3~deb13u2?arch=arm64&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2026-1485","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1485","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.8,"exploitabilityScore":1.4,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1485","epss":0.00006,"percentile":0.00348,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1485","cwe":"CWE-124","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00174},"relatedVulnerabilities":[{"id":"CVE-2026-1485","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1485","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2026-1485","https://bugzilla.redhat.com/show_bug.cgi?id=2433325","https://gitlab.gnome.org/GNOME/glib/-/issues/3871"],"description":"A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.8,"exploitabilityScore":1.4,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1485","epss":0.00006,"percentile":0.00348,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1485","cwe":"CWE-124","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib2.0","version":"2.84.4-3~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1485","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libglib2.0-data-bbd4ccdf8b009a02","name":"libglib2.0-data","version":"2.84.4-3~deb13u2","type":"deb","locations":null,"language":"","licenses":["AFL-2.0 AND Apache-2.0 AND CC-BY-SA-3.0 AND CC0-1.0 AND LicenseRef-Expat AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND LicenseRef-Iconv-PD AND LicenseRef-Janik-permissive AND LicenseRef-Kuchling-PD AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MPL-1.1 AND LicenseRef-Mingw-PD AND LicenseRef-Plumb-PD AND Unicode-DFS-2016 AND bzip2-1.0.6 AND LicenseRef-cmph AND LicenseRef-old-glib-tests"],"cpes":["cpe:2.3:a:libglib2.0-data:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0-data:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_data:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0_data:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0-data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libglib2.0:libglib2.0_data:2.84.4-3\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libglib2.0-data@2.84.4-3~deb13u2?arch=all&distro=debian-13&upstream=glib2.0","upstreams":[{"name":"glib2.0"}]}},{"vulnerability":{"id":"CVE-2025-11494","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11494","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0017000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-11494","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11494","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16389","https://sourceware.org/bugzilla/show_bug.cgi?id=33499","https://sourceware.org/bugzilla/show_bug.cgi?id=33499#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a","https://vuldb.com/?ctiid.327619","https://vuldb.com/?id.327619","https://vuldb.com/?submit.668281","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11494","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11494","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11494","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0017000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-11494","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11494","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16389","https://sourceware.org/bugzilla/show_bug.cgi?id=33499","https://sourceware.org/bugzilla/show_bug.cgi?id=33499#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a","https://vuldb.com/?ctiid.327619","https://vuldb.com/?id.327619","https://vuldb.com/?submit.668281","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11494","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11494","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11494","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0017000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-11494","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11494","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16389","https://sourceware.org/bugzilla/show_bug.cgi?id=33499","https://sourceware.org/bugzilla/show_bug.cgi?id=33499#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a","https://vuldb.com/?ctiid.327619","https://vuldb.com/?id.327619","https://vuldb.com/?submit.668281","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11494","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11494","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11494","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0017000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-11494","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11494","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16389","https://sourceware.org/bugzilla/show_bug.cgi?id=33499","https://sourceware.org/bugzilla/show_bug.cgi?id=33499#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a","https://vuldb.com/?ctiid.327619","https://vuldb.com/?id.327619","https://vuldb.com/?submit.668281","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11494","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11494","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11494","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0017000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-11494","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11494","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16389","https://sourceware.org/bugzilla/show_bug.cgi?id=33499","https://sourceware.org/bugzilla/show_bug.cgi?id=33499#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a","https://vuldb.com/?ctiid.327619","https://vuldb.com/?id.327619","https://vuldb.com/?submit.668281","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11494","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11494","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11494","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0017000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-11494","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11494","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16389","https://sourceware.org/bugzilla/show_bug.cgi?id=33499","https://sourceware.org/bugzilla/show_bug.cgi?id=33499#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a","https://vuldb.com/?ctiid.327619","https://vuldb.com/?id.327619","https://vuldb.com/?submit.668281","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11494","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11494","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11494","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0017000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-11494","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11494","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16389","https://sourceware.org/bugzilla/show_bug.cgi?id=33499","https://sourceware.org/bugzilla/show_bug.cgi?id=33499#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a","https://vuldb.com/?ctiid.327619","https://vuldb.com/?id.327619","https://vuldb.com/?submit.668281","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11494","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11494","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11494","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0017000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-11494","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11494","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16389","https://sourceware.org/bugzilla/show_bug.cgi?id=33499","https://sourceware.org/bugzilla/show_bug.cgi?id=33499#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a","https://vuldb.com/?ctiid.327619","https://vuldb.com/?id.327619","https://vuldb.com/?submit.668281","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11494","epss":0.00034,"percentile":0.09914,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11494","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11494","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11494","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-24515","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-24515","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24515","epss":0.00006,"percentile":0.00363,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24515","cwe":"CWE-476","source":"cve@mitre.org","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.0016500000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-24515","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24515","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/libexpat/libexpat/pull/1131"],"description":"In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24515","epss":0.00006,"percentile":0.00363,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-24515","cwe":"CWE-476","source":"cve@mitre.org","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"expat","version":"2.7.1-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-24515","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libexpat1-9fbfc999aa8bff3d","name":"libexpat1","version":"2.7.1-2","type":"deb","locations":null,"language":"","licenses":["MIT"],"cpes":["cpe:2.3:a:libexpat1:libexpat1:2.7.1-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libexpat1@2.7.1-2?arch=arm64&distro=debian-13&upstream=expat","upstreams":[{"name":"expat"}]}},{"vulnerability":{"id":"CVE-2025-8225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8225","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0016500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-8225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8225","namespace":"nvd:cpe","severity":"Low","urls":["https://gitlab.com/gnutools/binutils-gdb/-/commit/e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4","https://vuldb.com/?ctiid.317813","https://vuldb.com/?id.317813","https://vuldb.com/?submit.621883","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-8225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8225","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0016500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-8225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8225","namespace":"nvd:cpe","severity":"Low","urls":["https://gitlab.com/gnutools/binutils-gdb/-/commit/e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4","https://vuldb.com/?ctiid.317813","https://vuldb.com/?id.317813","https://vuldb.com/?submit.621883","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-8225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8225","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0016500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-8225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8225","namespace":"nvd:cpe","severity":"Low","urls":["https://gitlab.com/gnutools/binutils-gdb/-/commit/e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4","https://vuldb.com/?ctiid.317813","https://vuldb.com/?id.317813","https://vuldb.com/?submit.621883","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-8225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8225","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0016500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-8225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8225","namespace":"nvd:cpe","severity":"Low","urls":["https://gitlab.com/gnutools/binutils-gdb/-/commit/e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4","https://vuldb.com/?ctiid.317813","https://vuldb.com/?id.317813","https://vuldb.com/?submit.621883","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-8225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8225","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0016500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-8225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8225","namespace":"nvd:cpe","severity":"Low","urls":["https://gitlab.com/gnutools/binutils-gdb/-/commit/e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4","https://vuldb.com/?ctiid.317813","https://vuldb.com/?id.317813","https://vuldb.com/?submit.621883","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-8225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8225","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0016500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-8225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8225","namespace":"nvd:cpe","severity":"Low","urls":["https://gitlab.com/gnutools/binutils-gdb/-/commit/e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4","https://vuldb.com/?ctiid.317813","https://vuldb.com/?id.317813","https://vuldb.com/?submit.621883","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-8225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8225","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0016500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-8225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8225","namespace":"nvd:cpe","severity":"Low","urls":["https://gitlab.com/gnutools/binutils-gdb/-/commit/e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4","https://vuldb.com/?ctiid.317813","https://vuldb.com/?id.317813","https://vuldb.com/?submit.621883","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-8225","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8225","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0016500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-8225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8225","namespace":"nvd:cpe","severity":"Low","urls":["https://gitlab.com/gnutools/binutils-gdb/-/commit/e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4","https://vuldb.com/?ctiid.317813","https://vuldb.com/?id.317813","https://vuldb.com/?submit.621883","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8225","epss":0.00033,"percentile":0.09519,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8225","cwe":"CWE-401","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8225","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-41035","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-41035","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.","cvss":[],"epss":[{"cve":"CVE-2026-41035","epss":0.00032,"percentile":0.09328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41035","cwe":"CWE-130","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0016000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-41035","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-41035","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/RsyncProject/rsync/issues/871","https://github.com/RsyncProject/rsync/releases","https://www.openwall.com/lists/oss-security/2026/04/16/2","http://www.openwall.com/lists/oss-security/2026/04/16/9","http://www.openwall.com/lists/oss-security/2026/04/22/3"],"description":"In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.","cvss":[{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L","metrics":{"baseScore":7.4,"exploitabilityScore":3.2,"impactScore":3.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41035","epss":0.00032,"percentile":0.09328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-41035","cwe":"CWE-130","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"rsync","version":"3.4.1+ds1-5+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-41035","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-rsync-29aabc9d555e2b6c","name":"rsync","version":"3.4.1+ds1-5+deb13u1","type":"deb","locations":null,"language":"","licenses":["FSF-unlimited AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND PostgreSQL AND LicenseRef-public-domain AND snprintf"],"cpes":["cpe:2.3:a:rsync:rsync:3.4.1\\+ds1-5\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/rsync@3.4.1%2Bds1-5%2Bdeb13u1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-5958","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5958","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path:  1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file.  Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.   This issue was fixed in version 4.10.","cvss":[{"source":"cvd@cert.pl","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5958","epss":0.00006,"percentile":0.00323,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5958","cwe":"CWE-367","source":"cvd@cert.pl","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.00153},"relatedVulnerabilities":[{"id":"CVE-2026-5958","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5958","namespace":"nvd:cpe","severity":"Low","urls":["https://cert.pl/en/posts/2026/04/CVE-2026-5958","https://www.gnu.org/software/sed/"],"description":"When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: \n1. resolves symlink to its target and stores the resolved path for determining when output is written,\n2. opens the original symlink path (not the resolved one) to read the file. \nBetween these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.\n\n\nThis issue was fixed in version 4.10.","cvss":[{"source":"cvd@cert.pl","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5958","epss":0.00006,"percentile":0.00323,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-5958","cwe":"CWE-367","source":"cvd@cert.pl","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"sed","version":"4.9-2+b1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5958","versionConstraint":"none (unknown)"}},{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"sed","version":"4.9-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5958","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-sed-637b79afbc244110","name":"sed","version":"4.9-2+b1","type":"deb","locations":null,"language":"","licenses":["BSD-4-Clause-UC AND BSL-1.0 AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3- AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND X11 AND LicenseRef-pcre"],"cpes":["cpe:2.3:a:sed:sed:4.9-2\\+b1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/sed@4.9-2%2Bb1?arch=arm64&distro=debian-13&upstream=sed%404.9-2","upstreams":[{"name":"sed","version":"4.9-2"}]}},{"vulnerability":{"id":"CVE-2025-11081","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11081","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014999999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-11081","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11081","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/user-attachments/files/20623354/hdf5_crash_3.txt","https://sourceware.org/bugzilla/show_bug.cgi?id=33406","https://sourceware.org/bugzilla/show_bug.cgi?id=33406#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b","https://vuldb.com/?ctiid.326122","https://vuldb.com/?id.326122","https://vuldb.com/?submit.661275","https://www.gnu.org/"],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11081","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11081","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11081","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014999999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-11081","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11081","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/user-attachments/files/20623354/hdf5_crash_3.txt","https://sourceware.org/bugzilla/show_bug.cgi?id=33406","https://sourceware.org/bugzilla/show_bug.cgi?id=33406#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b","https://vuldb.com/?ctiid.326122","https://vuldb.com/?id.326122","https://vuldb.com/?submit.661275","https://www.gnu.org/"],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11081","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11081","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11081","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014999999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-11081","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11081","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/user-attachments/files/20623354/hdf5_crash_3.txt","https://sourceware.org/bugzilla/show_bug.cgi?id=33406","https://sourceware.org/bugzilla/show_bug.cgi?id=33406#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b","https://vuldb.com/?ctiid.326122","https://vuldb.com/?id.326122","https://vuldb.com/?submit.661275","https://www.gnu.org/"],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11081","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11081","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11081","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014999999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-11081","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11081","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/user-attachments/files/20623354/hdf5_crash_3.txt","https://sourceware.org/bugzilla/show_bug.cgi?id=33406","https://sourceware.org/bugzilla/show_bug.cgi?id=33406#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b","https://vuldb.com/?ctiid.326122","https://vuldb.com/?id.326122","https://vuldb.com/?submit.661275","https://www.gnu.org/"],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11081","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11081","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11081","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014999999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-11081","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11081","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/user-attachments/files/20623354/hdf5_crash_3.txt","https://sourceware.org/bugzilla/show_bug.cgi?id=33406","https://sourceware.org/bugzilla/show_bug.cgi?id=33406#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b","https://vuldb.com/?ctiid.326122","https://vuldb.com/?id.326122","https://vuldb.com/?submit.661275","https://www.gnu.org/"],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11081","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11081","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11081","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014999999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-11081","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11081","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/user-attachments/files/20623354/hdf5_crash_3.txt","https://sourceware.org/bugzilla/show_bug.cgi?id=33406","https://sourceware.org/bugzilla/show_bug.cgi?id=33406#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b","https://vuldb.com/?ctiid.326122","https://vuldb.com/?id.326122","https://vuldb.com/?submit.661275","https://www.gnu.org/"],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11081","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11081","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11081","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014999999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-11081","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11081","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/user-attachments/files/20623354/hdf5_crash_3.txt","https://sourceware.org/bugzilla/show_bug.cgi?id=33406","https://sourceware.org/bugzilla/show_bug.cgi?id=33406#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b","https://vuldb.com/?ctiid.326122","https://vuldb.com/?id.326122","https://vuldb.com/?submit.661275","https://www.gnu.org/"],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11081","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11081","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11081","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014999999999999998},"relatedVulnerabilities":[{"id":"CVE-2025-11081","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11081","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/user-attachments/files/20623354/hdf5_crash_3.txt","https://sourceware.org/bugzilla/show_bug.cgi?id=33406","https://sourceware.org/bugzilla/show_bug.cgi?id=33406#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b","https://vuldb.com/?ctiid.326122","https://vuldb.com/?id.326122","https://vuldb.com/?submit.661275","https://www.gnu.org/"],"description":"A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11081","epss":0.0003,"percentile":0.08498,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11081","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11081","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11081","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11840","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11840","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014},"relatedVulnerabilities":[{"id":"CVE-2025-11840","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11840","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16351","https://sourceware.org/bugzilla/attachment.cgi?id=16357","https://sourceware.org/bugzilla/show_bug.cgi?id=33455","https://vuldb.com/?ctiid.328775","https://vuldb.com/?id.328775","https://vuldb.com/?submit.661281","https://www.gnu.org/"],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11840","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11840","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11840","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014},"relatedVulnerabilities":[{"id":"CVE-2025-11840","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11840","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16351","https://sourceware.org/bugzilla/attachment.cgi?id=16357","https://sourceware.org/bugzilla/show_bug.cgi?id=33455","https://vuldb.com/?ctiid.328775","https://vuldb.com/?id.328775","https://vuldb.com/?submit.661281","https://www.gnu.org/"],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11840","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11840","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11840","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014},"relatedVulnerabilities":[{"id":"CVE-2025-11840","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11840","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16351","https://sourceware.org/bugzilla/attachment.cgi?id=16357","https://sourceware.org/bugzilla/show_bug.cgi?id=33455","https://vuldb.com/?ctiid.328775","https://vuldb.com/?id.328775","https://vuldb.com/?submit.661281","https://www.gnu.org/"],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11840","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11840","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11840","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014},"relatedVulnerabilities":[{"id":"CVE-2025-11840","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11840","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16351","https://sourceware.org/bugzilla/attachment.cgi?id=16357","https://sourceware.org/bugzilla/show_bug.cgi?id=33455","https://vuldb.com/?ctiid.328775","https://vuldb.com/?id.328775","https://vuldb.com/?submit.661281","https://www.gnu.org/"],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11840","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11840","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11840","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014},"relatedVulnerabilities":[{"id":"CVE-2025-11840","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11840","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16351","https://sourceware.org/bugzilla/attachment.cgi?id=16357","https://sourceware.org/bugzilla/show_bug.cgi?id=33455","https://vuldb.com/?ctiid.328775","https://vuldb.com/?id.328775","https://vuldb.com/?submit.661281","https://www.gnu.org/"],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11840","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11840","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11840","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014},"relatedVulnerabilities":[{"id":"CVE-2025-11840","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11840","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16351","https://sourceware.org/bugzilla/attachment.cgi?id=16357","https://sourceware.org/bugzilla/show_bug.cgi?id=33455","https://vuldb.com/?ctiid.328775","https://vuldb.com/?id.328775","https://vuldb.com/?submit.661281","https://www.gnu.org/"],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11840","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11840","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11840","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014},"relatedVulnerabilities":[{"id":"CVE-2025-11840","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11840","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16351","https://sourceware.org/bugzilla/attachment.cgi?id=16357","https://sourceware.org/bugzilla/show_bug.cgi?id=33455","https://vuldb.com/?ctiid.328775","https://vuldb.com/?id.328775","https://vuldb.com/?submit.661281","https://www.gnu.org/"],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11840","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11840","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11840","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0014},"relatedVulnerabilities":[{"id":"CVE-2025-11840","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11840","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16351","https://sourceware.org/bugzilla/attachment.cgi?id=16357","https://sourceware.org/bugzilla/show_bug.cgi?id=33455","https://vuldb.com/?ctiid.328775","https://vuldb.com/?id.328775","https://vuldb.com/?submit.661281","https://www.gnu.org/"],"description":"A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11840","epss":0.00028,"percentile":0.07967,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11840","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11840","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11840","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11083","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11083","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00135},"relatedVulnerabilities":[{"id":"CVE-2025-11083","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11083","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16353","https://sourceware.org/bugzilla/show_bug.cgi?id=33457","https://sourceware.org/bugzilla/show_bug.cgi?id=33457#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490","https://vuldb.com/?ctiid.326124","https://vuldb.com/?id.326124","https://vuldb.com/?submit.661277","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11083","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11083","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11083","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00135},"relatedVulnerabilities":[{"id":"CVE-2025-11083","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11083","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16353","https://sourceware.org/bugzilla/show_bug.cgi?id=33457","https://sourceware.org/bugzilla/show_bug.cgi?id=33457#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490","https://vuldb.com/?ctiid.326124","https://vuldb.com/?id.326124","https://vuldb.com/?submit.661277","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11083","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11083","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11083","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00135},"relatedVulnerabilities":[{"id":"CVE-2025-11083","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11083","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16353","https://sourceware.org/bugzilla/show_bug.cgi?id=33457","https://sourceware.org/bugzilla/show_bug.cgi?id=33457#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490","https://vuldb.com/?ctiid.326124","https://vuldb.com/?id.326124","https://vuldb.com/?submit.661277","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11083","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11083","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11083","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00135},"relatedVulnerabilities":[{"id":"CVE-2025-11083","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11083","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16353","https://sourceware.org/bugzilla/show_bug.cgi?id=33457","https://sourceware.org/bugzilla/show_bug.cgi?id=33457#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490","https://vuldb.com/?ctiid.326124","https://vuldb.com/?id.326124","https://vuldb.com/?submit.661277","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11083","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11083","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11083","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00135},"relatedVulnerabilities":[{"id":"CVE-2025-11083","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11083","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16353","https://sourceware.org/bugzilla/show_bug.cgi?id=33457","https://sourceware.org/bugzilla/show_bug.cgi?id=33457#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490","https://vuldb.com/?ctiid.326124","https://vuldb.com/?id.326124","https://vuldb.com/?submit.661277","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11083","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11083","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11083","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00135},"relatedVulnerabilities":[{"id":"CVE-2025-11083","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11083","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16353","https://sourceware.org/bugzilla/show_bug.cgi?id=33457","https://sourceware.org/bugzilla/show_bug.cgi?id=33457#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490","https://vuldb.com/?ctiid.326124","https://vuldb.com/?id.326124","https://vuldb.com/?submit.661277","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11083","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11083","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11083","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00135},"relatedVulnerabilities":[{"id":"CVE-2025-11083","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11083","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16353","https://sourceware.org/bugzilla/show_bug.cgi?id=33457","https://sourceware.org/bugzilla/show_bug.cgi?id=33457#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490","https://vuldb.com/?ctiid.326124","https://vuldb.com/?id.326124","https://vuldb.com/?submit.661277","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11083","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11083","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11083","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00135},"relatedVulnerabilities":[{"id":"CVE-2025-11083","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11083","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16353","https://sourceware.org/bugzilla/show_bug.cgi?id=33457","https://sourceware.org/bugzilla/show_bug.cgi?id=33457#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490","https://vuldb.com/?ctiid.326124","https://vuldb.com/?id.326124","https://vuldb.com/?submit.661277","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11083","epss":0.00027,"percentile":0.07636,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11083","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11083","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11083","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1365","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1365","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1365","epss":0.00027,"percentile":0.07418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1365","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1365","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1365","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00135},"relatedVulnerabilities":[{"id":"CVE-2025-1365","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1365","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15925","https://sourceware.org/bugzilla/show_bug.cgi?id=32654","https://sourceware.org/bugzilla/show_bug.cgi?id=32654#c2","https://vuldb.com/?ctiid.295977","https://vuldb.com/?id.295977","https://vuldb.com/?submit.496483","https://www.gnu.org/"],"description":"A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1365","epss":0.00027,"percentile":0.07418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1365","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1365","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1365","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1365","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libdw1t64-c1ee80f31f7dbed2","name":"libdw1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libdw1t64:libdw1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libdw1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2025-1365","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1365","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1365","epss":0.00027,"percentile":0.07418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1365","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1365","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1365","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00135},"relatedVulnerabilities":[{"id":"CVE-2025-1365","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1365","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15925","https://sourceware.org/bugzilla/show_bug.cgi?id=32654","https://sourceware.org/bugzilla/show_bug.cgi?id=32654#c2","https://vuldb.com/?ctiid.295977","https://vuldb.com/?id.295977","https://vuldb.com/?submit.496483","https://www.gnu.org/"],"description":"A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1365","epss":0.00027,"percentile":0.07418,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1365","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1365","cwe":"CWE-120","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1365","cwe":"CWE-120","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1365","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libelf1t64-0cd60a52cc5d00d2","name":"libelf1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libelf1t64:libelf1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libelf1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2025-11412","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11412","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11412","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11412","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16378","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33452#c8","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc","https://vuldb.com/?ctiid.327348","https://vuldb.com/?id.327348","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11412","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11414","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11414","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11414","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11414","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16361","https://sourceware.org/bugzilla/show_bug.cgi?id=33450","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703","https://vuldb.com/?ctiid.327350","https://vuldb.com/?id.327350","https://vuldb.com/?submit.665591","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11414","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11495","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11495","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11495","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11495","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16393","https://sourceware.org/bugzilla/show_bug.cgi?id=33502","https://sourceware.org/bugzilla/show_bug.cgi?id=33502#c3","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0","https://vuldb.com/?ctiid.327620","https://vuldb.com/?id.327620","https://vuldb.com/?submit.668290","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11495","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11412","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11412","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11412","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11412","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16378","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33452#c8","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc","https://vuldb.com/?ctiid.327348","https://vuldb.com/?id.327348","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11412","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11414","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11414","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11414","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11414","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16361","https://sourceware.org/bugzilla/show_bug.cgi?id=33450","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703","https://vuldb.com/?ctiid.327350","https://vuldb.com/?id.327350","https://vuldb.com/?submit.665591","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11414","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11495","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11495","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11495","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11495","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16393","https://sourceware.org/bugzilla/show_bug.cgi?id=33502","https://sourceware.org/bugzilla/show_bug.cgi?id=33502#c3","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0","https://vuldb.com/?ctiid.327620","https://vuldb.com/?id.327620","https://vuldb.com/?submit.668290","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11495","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11412","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11412","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11412","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11412","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16378","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33452#c8","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc","https://vuldb.com/?ctiid.327348","https://vuldb.com/?id.327348","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11412","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11414","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11414","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11414","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11414","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16361","https://sourceware.org/bugzilla/show_bug.cgi?id=33450","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703","https://vuldb.com/?ctiid.327350","https://vuldb.com/?id.327350","https://vuldb.com/?submit.665591","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11414","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11495","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11495","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11495","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11495","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16393","https://sourceware.org/bugzilla/show_bug.cgi?id=33502","https://sourceware.org/bugzilla/show_bug.cgi?id=33502#c3","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0","https://vuldb.com/?ctiid.327620","https://vuldb.com/?id.327620","https://vuldb.com/?submit.668290","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11495","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11412","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11412","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11412","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11412","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16378","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33452#c8","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc","https://vuldb.com/?ctiid.327348","https://vuldb.com/?id.327348","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11412","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11414","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11414","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11414","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11414","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16361","https://sourceware.org/bugzilla/show_bug.cgi?id=33450","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703","https://vuldb.com/?ctiid.327350","https://vuldb.com/?id.327350","https://vuldb.com/?submit.665591","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11414","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11495","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11495","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11495","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11495","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16393","https://sourceware.org/bugzilla/show_bug.cgi?id=33502","https://sourceware.org/bugzilla/show_bug.cgi?id=33502#c3","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0","https://vuldb.com/?ctiid.327620","https://vuldb.com/?id.327620","https://vuldb.com/?submit.668290","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11495","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11412","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11412","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11412","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11412","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16378","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33452#c8","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc","https://vuldb.com/?ctiid.327348","https://vuldb.com/?id.327348","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11412","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11414","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11414","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11414","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11414","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16361","https://sourceware.org/bugzilla/show_bug.cgi?id=33450","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703","https://vuldb.com/?ctiid.327350","https://vuldb.com/?id.327350","https://vuldb.com/?submit.665591","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11414","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11495","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11495","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11495","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11495","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16393","https://sourceware.org/bugzilla/show_bug.cgi?id=33502","https://sourceware.org/bugzilla/show_bug.cgi?id=33502#c3","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0","https://vuldb.com/?ctiid.327620","https://vuldb.com/?id.327620","https://vuldb.com/?submit.668290","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11495","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11412","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11412","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11412","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11412","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16378","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33452#c8","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc","https://vuldb.com/?ctiid.327348","https://vuldb.com/?id.327348","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11412","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11414","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11414","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11414","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11414","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16361","https://sourceware.org/bugzilla/show_bug.cgi?id=33450","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703","https://vuldb.com/?ctiid.327350","https://vuldb.com/?id.327350","https://vuldb.com/?submit.665591","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11414","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11495","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11495","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11495","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11495","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16393","https://sourceware.org/bugzilla/show_bug.cgi?id=33502","https://sourceware.org/bugzilla/show_bug.cgi?id=33502#c3","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0","https://vuldb.com/?ctiid.327620","https://vuldb.com/?id.327620","https://vuldb.com/?submit.668290","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11495","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11412","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11412","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11412","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11412","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16378","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33452#c8","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc","https://vuldb.com/?ctiid.327348","https://vuldb.com/?id.327348","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11412","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11414","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11414","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11414","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11414","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16361","https://sourceware.org/bugzilla/show_bug.cgi?id=33450","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703","https://vuldb.com/?ctiid.327350","https://vuldb.com/?id.327350","https://vuldb.com/?submit.665591","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11414","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11495","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11495","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11495","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11495","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16393","https://sourceware.org/bugzilla/show_bug.cgi?id=33502","https://sourceware.org/bugzilla/show_bug.cgi?id=33502#c3","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0","https://vuldb.com/?ctiid.327620","https://vuldb.com/?id.327620","https://vuldb.com/?submit.668290","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11495","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11412","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11412","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11412","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11412","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16378","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33452#c8","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc","https://vuldb.com/?ctiid.327348","https://vuldb.com/?id.327348","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11412","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11412","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11412","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11412","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11414","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11414","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11414","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11414","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16361","https://sourceware.org/bugzilla/show_bug.cgi?id=33450","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703","https://vuldb.com/?ctiid.327350","https://vuldb.com/?id.327350","https://vuldb.com/?submit.665591","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11414","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11414","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11414","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11414","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11495","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11495","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-11495","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11495","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16393","https://sourceware.org/bugzilla/show_bug.cgi?id=33502","https://sourceware.org/bugzilla/show_bug.cgi?id=33502#c3","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0","https://vuldb.com/?ctiid.327620","https://vuldb.com/?id.327620","https://vuldb.com/?submit.668290","https://www.gnu.org/"],"description":"A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11495","epss":0.00026,"percentile":0.07231,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11495","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11495","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11495","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7545","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7545","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-7545","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7545","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16117","https://sourceware.org/bugzilla/show_bug.cgi?id=33049","https://sourceware.org/bugzilla/show_bug.cgi?id=33049#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944","https://vuldb.com/?ctiid.316243","https://vuldb.com/?id.316243","https://vuldb.com/?submit.614355","https://www.gnu.org/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7545","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-7545","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7545","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-7545","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7545","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16117","https://sourceware.org/bugzilla/show_bug.cgi?id=33049","https://sourceware.org/bugzilla/show_bug.cgi?id=33049#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944","https://vuldb.com/?ctiid.316243","https://vuldb.com/?id.316243","https://vuldb.com/?submit.614355","https://www.gnu.org/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7545","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7545","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7545","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-7545","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7545","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16117","https://sourceware.org/bugzilla/show_bug.cgi?id=33049","https://sourceware.org/bugzilla/show_bug.cgi?id=33049#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944","https://vuldb.com/?ctiid.316243","https://vuldb.com/?id.316243","https://vuldb.com/?submit.614355","https://www.gnu.org/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7545","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7545","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7545","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-7545","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7545","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16117","https://sourceware.org/bugzilla/show_bug.cgi?id=33049","https://sourceware.org/bugzilla/show_bug.cgi?id=33049#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944","https://vuldb.com/?ctiid.316243","https://vuldb.com/?id.316243","https://vuldb.com/?submit.614355","https://www.gnu.org/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7545","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7545","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7545","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-7545","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7545","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16117","https://sourceware.org/bugzilla/show_bug.cgi?id=33049","https://sourceware.org/bugzilla/show_bug.cgi?id=33049#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944","https://vuldb.com/?ctiid.316243","https://vuldb.com/?id.316243","https://vuldb.com/?submit.614355","https://www.gnu.org/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7545","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7545","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7545","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-7545","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7545","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16117","https://sourceware.org/bugzilla/show_bug.cgi?id=33049","https://sourceware.org/bugzilla/show_bug.cgi?id=33049#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944","https://vuldb.com/?ctiid.316243","https://vuldb.com/?id.316243","https://vuldb.com/?submit.614355","https://www.gnu.org/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7545","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7545","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7545","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-7545","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7545","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16117","https://sourceware.org/bugzilla/show_bug.cgi?id=33049","https://sourceware.org/bugzilla/show_bug.cgi?id=33049#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944","https://vuldb.com/?ctiid.316243","https://vuldb.com/?id.316243","https://vuldb.com/?submit.614355","https://www.gnu.org/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7545","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7545","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7545","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-7545","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7545","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16117","https://sourceware.org/bugzilla/show_bug.cgi?id=33049","https://sourceware.org/bugzilla/show_bug.cgi?id=33049#c1","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944","https://vuldb.com/?ctiid.316243","https://vuldb.com/?id.316243","https://vuldb.com/?submit.614355","https://www.gnu.org/"],"description":"A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7545","epss":0.00026,"percentile":0.07181,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7545","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7545","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7545","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-1371","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1371","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1371","epss":0.00026,"percentile":0.07153,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1371","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1371","cwe":"CWE-476","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1371","cwe":"CWE-476","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-1371","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1371","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15926","https://sourceware.org/bugzilla/show_bug.cgi?id=32655","https://sourceware.org/bugzilla/show_bug.cgi?id=32655#c2","https://vuldb.com/?ctiid.295978","https://vuldb.com/?id.295978","https://vuldb.com/?submit.496484","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1371","epss":0.00026,"percentile":0.07153,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1371","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1371","cwe":"CWE-476","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1371","cwe":"CWE-476","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1371","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libdw1t64-c1ee80f31f7dbed2","name":"libdw1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libdw1t64:libdw1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libdw1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2025-1371","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1371","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1371","epss":0.00026,"percentile":0.07153,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1371","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1371","cwe":"CWE-476","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1371","cwe":"CWE-476","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-1371","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1371","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15926","https://sourceware.org/bugzilla/show_bug.cgi?id=32655","https://sourceware.org/bugzilla/show_bug.cgi?id=32655#c2","https://vuldb.com/?ctiid.295978","https://vuldb.com/?id.295978","https://vuldb.com/?submit.496484","https://www.gnu.org/"],"description":"A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1371","epss":0.00026,"percentile":0.07153,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1371","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1371","cwe":"CWE-476","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-1371","cwe":"CWE-476","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1371","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libelf1t64-0cd60a52cc5d00d2","name":"libelf1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libelf1t64:libelf1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libelf1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2025-10966","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-10966","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms.  This prevents curl from detecting MITM attackers and more.","cvss":[],"epss":[{"cve":"CVE-2025-10966","epss":0.00026,"percentile":0.07083,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-10966","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-10966","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-10966.html","https://curl.se/docs/CVE-2025-10966.json","https://hackerone.com/reports/3355218","http://www.openwall.com/lists/oss-security/2025/11/05/2","https://github.com/curl/curl/commit/b011e3fcfb06d6c0278595ee2ee297036fbe9793"],"description":"curl's code for managing SSH connections when SFTP was done using the wolfSSH\npowered backend was flawed and missed host verification mechanisms.\n\nThis prevents curl from detecting MITM attackers and more.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-10966","epss":0.00026,"percentile":0.07083,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-10966","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-10966","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-10966","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms.  This prevents curl from detecting MITM attackers and more.","cvss":[],"epss":[{"cve":"CVE-2025-10966","epss":0.00026,"percentile":0.07083,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-10966","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-10966","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-10966.html","https://curl.se/docs/CVE-2025-10966.json","https://hackerone.com/reports/3355218","http://www.openwall.com/lists/oss-security/2025/11/05/2","https://github.com/curl/curl/commit/b011e3fcfb06d6c0278595ee2ee297036fbe9793"],"description":"curl's code for managing SSH connections when SFTP was done using the wolfSSH\npowered backend was flawed and missed host verification mechanisms.\n\nThis prevents curl from detecting MITM attackers and more.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-10966","epss":0.00026,"percentile":0.07083,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-10966","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2025-10966","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-10966","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms.  This prevents curl from detecting MITM attackers and more.","cvss":[],"epss":[{"cve":"CVE-2025-10966","epss":0.00026,"percentile":0.07083,"date":"2026-04-29"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0013},"relatedVulnerabilities":[{"id":"CVE-2025-10966","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-10966","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-10966.html","https://curl.se/docs/CVE-2025-10966.json","https://hackerone.com/reports/3355218","http://www.openwall.com/lists/oss-security/2025/11/05/2","https://github.com/curl/curl/commit/b011e3fcfb06d6c0278595ee2ee297036fbe9793"],"description":"curl's code for managing SSH connections when SFTP was done using the wolfSSH\npowered backend was flawed and missed host verification mechanisms.\n\nThis prevents curl from detecting MITM attackers and more.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":2.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-10966","epss":0.00026,"percentile":0.07083,"date":"2026-04-29"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-10966","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bsdextrautils-c23db0b188308a2a","name":"bsdextrautils","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:bsdextrautils:bsdextrautils:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bsdextrautils@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bsdutils-e11ccc6cace058fe","name":"bsdutils","version":"1:2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:bsdutils:bsdutils:1\\:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bsdutils@1%3A2.41-5?arch=arm64&distro=debian-13&upstream=util-linux%402.41-5","upstreams":[{"name":"util-linux","version":"2.41-5"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-eject-ea768bbeeffb7a52","name":"eject","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:eject:eject:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/eject@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-fdisk-ec3e750aea21e029","name":"fdisk","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:fdisk:fdisk:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/fdisk@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libblkid1-56b1dc826d98b9e9","name":"libblkid1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libblkid1:libblkid1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libblkid1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libfdisk1-bbbefcb8907b3bd7","name":"libfdisk1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libfdisk1:libfdisk1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libfdisk1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-liblastlog2-2-ad0e084a4ff7b411","name":"liblastlog2-2","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:liblastlog2-2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2-2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2_2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2_2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/liblastlog2-2@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libmount1-66459d6a2e55223e","name":"libmount1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libmount1:libmount1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libmount1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsmartcols1-92fb21c80f37cd86","name":"libsmartcols1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsmartcols1:libsmartcols1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsmartcols1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libuuid1-fd028c3811b88694","name":"libuuid1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libuuid1:libuuid1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libuuid1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-login-b08f21232e226b47","name":"login","version":"1:4.16.0-2+really2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:login:login:1\\:4.16.0-2\\+really2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/login@1%3A4.16.0-2%2Breally2.41-5?arch=arm64&distro=debian-13&upstream=util-linux%402.41-5","upstreams":[{"name":"util-linux","version":"2.41-5"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-mount-2a84395d15f466a5","name":"mount","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:mount:mount:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/mount@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-rfkill-6166963bfe2df59a","name":"rfkill","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:rfkill:rfkill:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/rfkill@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2022-0563","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-0563","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2022-0563","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-0563","namespace":"nvd:cpe","severity":"Medium","urls":["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u","https://security.gentoo.org/glsa/202401-08","https://security.netapp.com/advisory/ntap-20220331-0002/"],"description":"A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N","metrics":{"baseScore":1.9,"exploitabilityScore":3.4,"impactScore":2.9},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-0563","epss":0.00025,"percentile":0.07032,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-0563","cwe":"CWE-209","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-0563","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-util-linux-ffaa6c8a5d0e2ea9","name":"util-linux","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:util-linux:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util-linux:util_linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util_linux:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util_linux:util_linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util:util_linux:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/util-linux@2.41-5?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11413","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11413","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2025-11413","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11413","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16362","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33456#c10","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0","https://vuldb.com/?ctiid.327349","https://vuldb.com/?id.327349","https://vuldb.com/?submit.665587","https://vuldb.com/?submit.665590","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11413","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11413","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11413","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2025-11413","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11413","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16362","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33456#c10","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0","https://vuldb.com/?ctiid.327349","https://vuldb.com/?id.327349","https://vuldb.com/?submit.665587","https://vuldb.com/?submit.665590","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11413","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11413","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11413","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2025-11413","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11413","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16362","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33456#c10","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0","https://vuldb.com/?ctiid.327349","https://vuldb.com/?id.327349","https://vuldb.com/?submit.665587","https://vuldb.com/?submit.665590","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11413","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11413","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11413","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2025-11413","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11413","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16362","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33456#c10","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0","https://vuldb.com/?ctiid.327349","https://vuldb.com/?id.327349","https://vuldb.com/?submit.665587","https://vuldb.com/?submit.665590","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11413","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11413","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11413","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2025-11413","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11413","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16362","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33456#c10","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0","https://vuldb.com/?ctiid.327349","https://vuldb.com/?id.327349","https://vuldb.com/?submit.665587","https://vuldb.com/?submit.665590","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11413","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11413","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11413","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2025-11413","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11413","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16362","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33456#c10","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0","https://vuldb.com/?ctiid.327349","https://vuldb.com/?id.327349","https://vuldb.com/?submit.665587","https://vuldb.com/?submit.665590","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11413","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11413","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11413","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2025-11413","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11413","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16362","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33456#c10","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0","https://vuldb.com/?ctiid.327349","https://vuldb.com/?id.327349","https://vuldb.com/?submit.665587","https://vuldb.com/?submit.665590","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11413","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11413","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11413","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00125},"relatedVulnerabilities":[{"id":"CVE-2025-11413","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11413","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16362","https://sourceware.org/bugzilla/show_bug.cgi?id=33452","https://sourceware.org/bugzilla/show_bug.cgi?id=33456#c10","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0","https://vuldb.com/?ctiid.327349","https://vuldb.com/?id.327349","https://vuldb.com/?submit.665587","https://vuldb.com/?submit.665590","https://www.gnu.org/"],"description":"A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11413","epss":0.00025,"percentile":0.0686,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11413","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11413","cwe":"CWE-125","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11413","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2008-5366","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-5366","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The postinst script in ppp 2.4.4rel on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/probe-finished or (2) /tmp/ppp-errors temporary file.","cvss":[],"epss":[{"cve":"CVE-2008-5366","epss":0.00024,"percentile":0.06659,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-5366","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2008-5366","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-5366","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.debian.org/debian-devel/2008/08/msg00283.html","http://www.securityfocus.com/bid/32740"],"description":"The postinst script in ppp 2.4.4rel on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/probe-finished or (2) /tmp/ppp-errors temporary file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:C/I:C/A:C","metrics":{"baseScore":6.9,"exploitabilityScore":3.4,"impactScore":10.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-5366","epss":0.00024,"percentile":0.06659,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-5366","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ppp","version":"2.5.2-1+1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-5366","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-ppp-896431ac4ef6d69e","name":"ppp","version":"2.5.2-1+1","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:ppp:ppp:2.5.2-1\\+1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/ppp@2.5.2-1%2B1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-7546","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7546","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-7546","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7546","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16118","https://sourceware.org/bugzilla/show_bug.cgi?id=33050","https://sourceware.org/bugzilla/show_bug.cgi?id=33050#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b","https://vuldb.com/?ctiid.316244","https://vuldb.com/?id.316244","https://vuldb.com/?submit.614375","https://www.gnu.org/"],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7546","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-7546","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7546","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-7546","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7546","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16118","https://sourceware.org/bugzilla/show_bug.cgi?id=33050","https://sourceware.org/bugzilla/show_bug.cgi?id=33050#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b","https://vuldb.com/?ctiid.316244","https://vuldb.com/?id.316244","https://vuldb.com/?submit.614375","https://www.gnu.org/"],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7546","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7546","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7546","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-7546","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7546","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16118","https://sourceware.org/bugzilla/show_bug.cgi?id=33050","https://sourceware.org/bugzilla/show_bug.cgi?id=33050#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b","https://vuldb.com/?ctiid.316244","https://vuldb.com/?id.316244","https://vuldb.com/?submit.614375","https://www.gnu.org/"],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7546","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7546","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7546","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-7546","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7546","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16118","https://sourceware.org/bugzilla/show_bug.cgi?id=33050","https://sourceware.org/bugzilla/show_bug.cgi?id=33050#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b","https://vuldb.com/?ctiid.316244","https://vuldb.com/?id.316244","https://vuldb.com/?submit.614375","https://www.gnu.org/"],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7546","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7546","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7546","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-7546","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7546","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16118","https://sourceware.org/bugzilla/show_bug.cgi?id=33050","https://sourceware.org/bugzilla/show_bug.cgi?id=33050#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b","https://vuldb.com/?ctiid.316244","https://vuldb.com/?id.316244","https://vuldb.com/?submit.614375","https://www.gnu.org/"],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7546","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7546","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7546","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-7546","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7546","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16118","https://sourceware.org/bugzilla/show_bug.cgi?id=33050","https://sourceware.org/bugzilla/show_bug.cgi?id=33050#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b","https://vuldb.com/?ctiid.316244","https://vuldb.com/?id.316244","https://vuldb.com/?submit.614375","https://www.gnu.org/"],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7546","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7546","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7546","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-7546","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7546","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16118","https://sourceware.org/bugzilla/show_bug.cgi?id=33050","https://sourceware.org/bugzilla/show_bug.cgi?id=33050#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b","https://vuldb.com/?ctiid.316244","https://vuldb.com/?id.316244","https://vuldb.com/?submit.614375","https://www.gnu.org/"],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7546","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-7546","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7546","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-7546","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7546","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16118","https://sourceware.org/bugzilla/show_bug.cgi?id=33050","https://sourceware.org/bugzilla/show_bug.cgi?id=33050#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b","https://vuldb.com/?ctiid.316244","https://vuldb.com/?id.316244","https://vuldb.com/?submit.614375","https://www.gnu.org/"],"description":"A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7546","epss":0.00024,"percentile":0.06591,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7546","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-7546","cwe":"CWE-787","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7546","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69647","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33640","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-69647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69647","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33640","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69647","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33640","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69647","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33640","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69647","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33640","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69647","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33640","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69647","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33640","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0012000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-69647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69647","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33640","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69647","epss":0.00024,"percentile":0.06543,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69647","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11082","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11082","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11082","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11082","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16358","https://sourceware.org/bugzilla/show_bug.cgi?id=33464","https://sourceware.org/bugzilla/show_bug.cgi?id=33464#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8","https://vuldb.com/?ctiid.326123","https://vuldb.com/?id.326123","https://vuldb.com/?submit.661276","https://www.gnu.org/"],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11082","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11082","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11082","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11082","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11082","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16358","https://sourceware.org/bugzilla/show_bug.cgi?id=33464","https://sourceware.org/bugzilla/show_bug.cgi?id=33464#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8","https://vuldb.com/?ctiid.326123","https://vuldb.com/?id.326123","https://vuldb.com/?submit.661276","https://www.gnu.org/"],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11082","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11082","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11082","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11082","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11082","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16358","https://sourceware.org/bugzilla/show_bug.cgi?id=33464","https://sourceware.org/bugzilla/show_bug.cgi?id=33464#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8","https://vuldb.com/?ctiid.326123","https://vuldb.com/?id.326123","https://vuldb.com/?submit.661276","https://www.gnu.org/"],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11082","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11082","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11082","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11082","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11082","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16358","https://sourceware.org/bugzilla/show_bug.cgi?id=33464","https://sourceware.org/bugzilla/show_bug.cgi?id=33464#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8","https://vuldb.com/?ctiid.326123","https://vuldb.com/?id.326123","https://vuldb.com/?submit.661276","https://www.gnu.org/"],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11082","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11082","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11082","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11082","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11082","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16358","https://sourceware.org/bugzilla/show_bug.cgi?id=33464","https://sourceware.org/bugzilla/show_bug.cgi?id=33464#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8","https://vuldb.com/?ctiid.326123","https://vuldb.com/?id.326123","https://vuldb.com/?submit.661276","https://www.gnu.org/"],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11082","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11082","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11082","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11082","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11082","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16358","https://sourceware.org/bugzilla/show_bug.cgi?id=33464","https://sourceware.org/bugzilla/show_bug.cgi?id=33464#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8","https://vuldb.com/?ctiid.326123","https://vuldb.com/?id.326123","https://vuldb.com/?submit.661276","https://www.gnu.org/"],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11082","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11082","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11082","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11082","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11082","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16358","https://sourceware.org/bugzilla/show_bug.cgi?id=33464","https://sourceware.org/bugzilla/show_bug.cgi?id=33464#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8","https://vuldb.com/?ctiid.326123","https://vuldb.com/?id.326123","https://vuldb.com/?submit.661276","https://www.gnu.org/"],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11082","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11082","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11082","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11082","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11082","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16358","https://sourceware.org/bugzilla/show_bug.cgi?id=33464","https://sourceware.org/bugzilla/show_bug.cgi?id=33464#c2","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8","https://vuldb.com/?ctiid.326123","https://vuldb.com/?id.326123","https://vuldb.com/?submit.661276","https://www.gnu.org/"],"description":"A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with \"[f]ixed for 2.46\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":4.3,"exploitabilityScore":3.2,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11082","epss":0.00023,"percentile":0.06471,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11082","cwe":"CWE-119","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11082","cwe":"CWE-122","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11082","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66861","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66861","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-66861","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66861","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md"],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66861","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-66861","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66861","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-66861","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66861","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md"],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66861","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66861","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66861","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-66861","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66861","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md"],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66861","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66861","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66861","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-66861","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66861","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md"],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66861","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66861","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66861","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-66861","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66861","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md"],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66861","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66861","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66861","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-66861","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66861","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md"],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66861","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66861","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66861","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-66861","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66861","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md"],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66861","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66861","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66861","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-66861","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66861","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md"],"description":"An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66861","epss":0.00023,"percentile":0.06325,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66861","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66861","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11839","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11839","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11839","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11839","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16344","https://sourceware.org/bugzilla/show_bug.cgi?id=33448","https://vuldb.com/?ctiid.328774","https://vuldb.com/?id.328774","https://vuldb.com/?submit.661279","https://www.gnu.org/"],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11839","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-11839","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11839","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11839","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11839","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16344","https://sourceware.org/bugzilla/show_bug.cgi?id=33448","https://vuldb.com/?ctiid.328774","https://vuldb.com/?id.328774","https://vuldb.com/?submit.661279","https://www.gnu.org/"],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11839","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11839","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11839","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11839","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11839","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16344","https://sourceware.org/bugzilla/show_bug.cgi?id=33448","https://vuldb.com/?ctiid.328774","https://vuldb.com/?id.328774","https://vuldb.com/?submit.661279","https://www.gnu.org/"],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11839","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11839","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11839","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11839","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11839","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16344","https://sourceware.org/bugzilla/show_bug.cgi?id=33448","https://vuldb.com/?ctiid.328774","https://vuldb.com/?id.328774","https://vuldb.com/?submit.661279","https://www.gnu.org/"],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11839","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11839","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11839","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11839","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11839","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16344","https://sourceware.org/bugzilla/show_bug.cgi?id=33448","https://vuldb.com/?ctiid.328774","https://vuldb.com/?id.328774","https://vuldb.com/?submit.661279","https://www.gnu.org/"],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11839","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11839","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11839","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11839","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11839","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16344","https://sourceware.org/bugzilla/show_bug.cgi?id=33448","https://vuldb.com/?ctiid.328774","https://vuldb.com/?id.328774","https://vuldb.com/?submit.661279","https://www.gnu.org/"],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11839","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11839","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11839","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11839","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11839","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16344","https://sourceware.org/bugzilla/show_bug.cgi?id=33448","https://vuldb.com/?ctiid.328774","https://vuldb.com/?id.328774","https://vuldb.com/?submit.661279","https://www.gnu.org/"],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11839","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-11839","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-11839","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011500000000000002},"relatedVulnerabilities":[{"id":"CVE-2025-11839","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-11839","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=16344","https://sourceware.org/bugzilla/show_bug.cgi?id=33448","https://vuldb.com/?ctiid.328774","https://vuldb.com/?id.328774","https://vuldb.com/?submit.661279","https://www.gnu.org/"],"description":"A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-11839","epss":0.00023,"percentile":0.06264,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-253","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-11839","cwe":"CWE-252","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-11839","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69648","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69648","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69648","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69648","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33641","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69648","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-69648","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69648","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69648","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69648","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33641","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69648","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69648","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69648","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69648","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69648","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33641","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69648","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69648","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69648","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69648","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69648","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33641","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69648","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69648","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69648","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69648","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69648","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33641","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69648","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69648","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69648","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69648","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69648","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33641","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69648","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69648","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69648","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69648","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69648","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33641","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69648","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69648","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69648","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69648","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69648","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33641","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69648","epss":0.00022,"percentile":0.06092,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69648","cwe":"CWE-835","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69648","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69652","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69652","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69652","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69652","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33701","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69652","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-69652","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69652","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69652","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69652","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33701","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69652","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69652","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69652","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69652","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69652","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33701","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69652","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69652","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69652","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69652","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69652","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33701","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69652","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69652","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69652","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69652","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69652","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33701","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69652","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69652","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69652","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69652","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69652","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33701","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69652","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69652","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69652","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69652","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69652","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33701","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69652","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69652","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69652","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0011},"relatedVulnerabilities":[{"id":"CVE-2025-69652","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69652","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33701","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69652","epss":0.00022,"percentile":0.06068,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69652","cwe":"CWE-460","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69652","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-22185","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-22185","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.","cvss":[],"epss":[{"cve":"CVE-2026-22185","epss":0.00021,"percentile":0.05812,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-22185","cwe":"CWE-125","source":"disclosure@vulncheck.com","type":"Secondary"},{"cve":"CVE-2026-22185","cwe":"CWE-191","source":"disclosure@vulncheck.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0010500000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-22185","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-22185","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.openldap.org/show_bug.cgi?id=10421","https://seclists.org/fulldisclosure/2026/Jan/5","https://seclists.org/fulldisclosure/2026/Jan/8","https://www.openldap.org/","https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline"],"description":"OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.","cvss":[{"source":"disclosure@vulncheck.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-22185","epss":0.00021,"percentile":0.05812,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-22185","cwe":"CWE-125","source":"disclosure@vulncheck.com","type":"Secondary"},{"cve":"CVE-2026-22185","cwe":"CWE-191","source":"disclosure@vulncheck.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openldap","version":"2.6.10+dfsg-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-22185","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libldap-common-0c527d3d89610a10","name":"libldap-common","version":"2.6.10+dfsg-1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-BSD-3-clause-California AND LicenseRef-BSD-3-clause-variant AND LicenseRef-BSD-4-clause-California AND Beerware AND LicenseRef-Expat AND LicenseRef-Expat-ISC AND LicenseRef-Expat-UNM AND LicenseRef-F5 AND LicenseRef-FSF-unlimited AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-JCG AND LicenseRef-MIT-XC AND LicenseRef-NeoSoft-permissive AND LicenseRef-OpenLDAP-2.8 AND LicenseRef-UMich AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libldap-common:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap-common:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap_common:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap_common:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap:libldap-common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*","cpe:2.3:a:libldap:libldap_common:2.6.10\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libldap-common@2.6.10%2Bdfsg-1?arch=all&distro=debian-13&upstream=openldap","upstreams":[{"name":"openldap"}]}},{"vulnerability":{"id":"CVE-2026-22185","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-22185","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.","cvss":[],"epss":[{"cve":"CVE-2026-22185","epss":0.00021,"percentile":0.05812,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-22185","cwe":"CWE-125","source":"disclosure@vulncheck.com","type":"Secondary"},{"cve":"CVE-2026-22185","cwe":"CWE-191","source":"disclosure@vulncheck.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0010500000000000002},"relatedVulnerabilities":[{"id":"CVE-2026-22185","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-22185","namespace":"nvd:cpe","severity":"Medium","urls":["https://bugs.openldap.org/show_bug.cgi?id=10421","https://seclists.org/fulldisclosure/2026/Jan/5","https://seclists.org/fulldisclosure/2026/Jan/8","https://www.openldap.org/","https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline"],"description":"OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.","cvss":[{"source":"disclosure@vulncheck.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-22185","epss":0.00021,"percentile":0.05812,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-22185","cwe":"CWE-125","source":"disclosure@vulncheck.com","type":"Secondary"},{"cve":"CVE-2026-22185","cwe":"CWE-191","source":"disclosure@vulncheck.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openldap","version":"2.6.10+dfsg-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-22185","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libldap2-c8352a83e37f53d5","name":"libldap2","version":"2.6.10+dfsg-1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND LicenseRef-BSD-3-clause-California AND LicenseRef-BSD-3-clause-variant AND LicenseRef-BSD-4-clause-California AND Beerware AND LicenseRef-Expat AND LicenseRef-Expat-ISC AND LicenseRef-Expat-UNM AND LicenseRef-F5 AND LicenseRef-FSF-unlimited AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LicenseRef-JCG AND LicenseRef-MIT-XC AND LicenseRef-NeoSoft-permissive AND LicenseRef-OpenLDAP-2.8 AND LicenseRef-UMich AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libldap2:libldap2:2.6.10\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libldap2@2.6.10%2Bdfsg-1?arch=arm64&distro=debian-13&upstream=openldap","upstreams":[{"name":"openldap"}]}},{"vulnerability":{"id":"CVE-2025-8732","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-8732","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that \"[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all.\"","cvss":[],"epss":[{"cve":"CVE-2025-8732","epss":0.0002,"percentile":0.05687,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8732","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8732","cwe":"CWE-674","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.001},"relatedVulnerabilities":[{"id":"CVE-2025-8732","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-8732","namespace":"nvd:cpe","severity":"Low","urls":["https://drive.google.com/file/d/1woIeYVcSQB_NwfEhaVnX6MedpWJ_nqWl/view?usp=drive_link","https://gitlab.gnome.org/GNOME/libxml2/-/issues/958","https://gitlab.gnome.org/GNOME/libxml2/-/issues/958#note_2505853","https://vuldb.com/?ctiid.319228","https://vuldb.com/?id.319228","https://vuldb.com/?submit.622285"],"description":"A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that \"[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all.\"","cvss":[{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-8732","epss":0.0002,"percentile":0.05687,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-8732","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"},{"cve":"CVE-2025-8732","cwe":"CWE-674","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-8732","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libxml2-5856779bb2cc8107","name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2","type":"deb","locations":null,"language":"","licenses":["ISC AND LicenseRef-MIT-1"],"cpes":["cpe:2.3:a:libxml2:libxml2:2.12.7\\+dfsg\\+really2.9.14-2.1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-6846","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6846","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.001},"relatedVulnerabilities":[{"id":"CVE-2026-6846","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6846","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-6846","https://bugzilla.redhat.com/show_bug.cgi?id=2460006"],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6846","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-6846","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6846","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.001},"relatedVulnerabilities":[{"id":"CVE-2026-6846","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6846","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-6846","https://bugzilla.redhat.com/show_bug.cgi?id=2460006"],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6846","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6846","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6846","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.001},"relatedVulnerabilities":[{"id":"CVE-2026-6846","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6846","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-6846","https://bugzilla.redhat.com/show_bug.cgi?id=2460006"],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6846","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6846","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6846","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.001},"relatedVulnerabilities":[{"id":"CVE-2026-6846","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6846","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-6846","https://bugzilla.redhat.com/show_bug.cgi?id=2460006"],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6846","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6846","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6846","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.001},"relatedVulnerabilities":[{"id":"CVE-2026-6846","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6846","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-6846","https://bugzilla.redhat.com/show_bug.cgi?id=2460006"],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6846","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6846","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6846","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.001},"relatedVulnerabilities":[{"id":"CVE-2026-6846","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6846","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-6846","https://bugzilla.redhat.com/show_bug.cgi?id=2460006"],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6846","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6846","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6846","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.001},"relatedVulnerabilities":[{"id":"CVE-2026-6846","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6846","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-6846","https://bugzilla.redhat.com/show_bug.cgi?id=2460006"],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6846","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6846","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6846","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.001},"relatedVulnerabilities":[{"id":"CVE-2026-6846","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6846","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-6846","https://bugzilla.redhat.com/show_bug.cgi?id=2460006"],"description":"A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.8,"exploitabilityScore":1.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6846","epss":0.0002,"percentile":0.05637,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6846","cwe":"CWE-122","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6846","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6844","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6844","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0009500000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6844","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6844","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6844","https://bugzilla.redhat.com/show_bug.cgi?id=2460016"],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6844","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-6844","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6844","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0009500000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6844","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6844","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6844","https://bugzilla.redhat.com/show_bug.cgi?id=2460016"],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6844","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6844","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6844","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0009500000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6844","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6844","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6844","https://bugzilla.redhat.com/show_bug.cgi?id=2460016"],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6844","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6844","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6844","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0009500000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6844","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6844","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6844","https://bugzilla.redhat.com/show_bug.cgi?id=2460016"],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6844","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6844","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6844","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0009500000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6844","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6844","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6844","https://bugzilla.redhat.com/show_bug.cgi?id=2460016"],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6844","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6844","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6844","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0009500000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6844","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6844","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6844","https://bugzilla.redhat.com/show_bug.cgi?id=2460016"],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6844","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6844","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6844","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0009500000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6844","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6844","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6844","https://bugzilla.redhat.com/show_bug.cgi?id=2460016"],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6844","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6844","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6844","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0009500000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-6844","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6844","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6844","https://bugzilla.redhat.com/show_bug.cgi?id=2460016"],"description":"A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6844","epss":0.00019,"percentile":0.05102,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6844","cwe":"CWE-400","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6844","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66866","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66866","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0008000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-66866","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66866","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash6.md"],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66866","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-66866","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66866","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0008000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-66866","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66866","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash6.md"],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66866","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66866","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66866","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0008000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-66866","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66866","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash6.md"],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66866","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66866","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66866","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0008000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-66866","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66866","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash6.md"],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66866","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66866","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66866","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0008000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-66866","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66866","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash6.md"],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66866","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66866","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66866","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0008000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-66866","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66866","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash6.md"],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66866","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66866","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66866","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0008000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-66866","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66866","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash6.md"],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66866","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-66866","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-66866","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0008000000000000001},"relatedVulnerabilities":[{"id":"CVE-2025-66866","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-66866","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash6.md"],"description":"An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-66866","epss":0.00016,"percentile":0.03599,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-66866","cwe":"CWE-20","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-66866","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2008-5367","dataSource":"https://security-tracker.debian.org/tracker/CVE-2008-5367","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"ip-up in ppp-udeb 2.4.4rel on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on the /tmp/resolv.conf.tmp temporary file.","cvss":[],"epss":[{"cve":"CVE-2008-5367","epss":0.00016,"percentile":0.03594,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-5367","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0008000000000000001},"relatedVulnerabilities":[{"id":"CVE-2008-5367","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2008-5367","namespace":"nvd:cpe","severity":"Medium","urls":["http://lists.debian.org/debian-devel/2008/08/msg00283.html"],"description":"ip-up in ppp-udeb 2.4.4rel on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on the /tmp/resolv.conf.tmp temporary file.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:L/AC:M/Au:N/C:C/I:C/A:C","metrics":{"baseScore":6.9,"exploitabilityScore":3.4,"impactScore":10.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2008-5367","epss":0.00016,"percentile":0.03594,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2008-5367","cwe":"CWE-59","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"ppp","version":"2.5.2-1+1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2008-5367","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-ppp-896431ac4ef6d69e","name":"ppp","version":"2.5.2-1+1","type":"deb","locations":null,"language":"","licenses":["GPL-2.0-only"],"cpes":["cpe:2.3:a:ppp:ppp:2.5.2-1\\+1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/ppp@2.5.2-1%2B1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2022-3219","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-3219","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2022-3219","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-3219","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2022-3219","https://bugzilla.redhat.com/show_bug.cgi?id=2127010","https://dev.gnupg.org/D556","https://dev.gnupg.org/T5993","https://marc.info/?l=oss-security&m=165696590211434&w=4","https://security.netapp.com/advisory/ntap-20230324-0001/"],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-3219","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-dirmngr-1503f6714851f186","name":"dirmngr","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:dirmngr:dirmngr:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/dirmngr@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2022-3219","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-3219","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2022-3219","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-3219","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2022-3219","https://bugzilla.redhat.com/show_bug.cgi?id=2127010","https://dev.gnupg.org/D556","https://dev.gnupg.org/T5993","https://marc.info/?l=oss-security&m=165696590211434&w=4","https://security.netapp.com/advisory/ntap-20230324-0001/"],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-3219","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gnupg-e708db6544496117","name":"gnupg","version":"2.4.7-21+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gnupg:gnupg:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gnupg@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2","upstreams":[{"name":"gnupg2"}]}},{"vulnerability":{"id":"CVE-2022-3219","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-3219","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2022-3219","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-3219","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2022-3219","https://bugzilla.redhat.com/show_bug.cgi?id=2127010","https://dev.gnupg.org/D556","https://dev.gnupg.org/T5993","https://marc.info/?l=oss-security&m=165696590211434&w=4","https://security.netapp.com/advisory/ntap-20230324-0001/"],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-3219","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gnupg-l10n-aecb683b9f0b939d","name":"gnupg-l10n","version":"2.4.7-21+deb13u1","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gnupg-l10n:gnupg-l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg-l10n:gnupg_l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_l10n:gnupg-l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_l10n:gnupg_l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg-l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg_l10n:2.4.7-21\\+deb13u1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gnupg-l10n@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2","upstreams":[{"name":"gnupg2"}]}},{"vulnerability":{"id":"CVE-2022-3219","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-3219","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2022-3219","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-3219","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2022-3219","https://bugzilla.redhat.com/show_bug.cgi?id=2127010","https://dev.gnupg.org/D556","https://dev.gnupg.org/T5993","https://marc.info/?l=oss-security&m=165696590211434&w=4","https://security.netapp.com/advisory/ntap-20230324-0001/"],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-3219","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gnupg-utils-41247e5942d68018","name":"gnupg-utils","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gnupg-utils:gnupg-utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg-utils:gnupg_utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_utils:gnupg-utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg_utils:gnupg_utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg-utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gnupg:gnupg_utils:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gnupg-utils@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2022-3219","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-3219","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2022-3219","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-3219","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2022-3219","https://bugzilla.redhat.com/show_bug.cgi?id=2127010","https://dev.gnupg.org/D556","https://dev.gnupg.org/T5993","https://marc.info/?l=oss-security&m=165696590211434&w=4","https://security.netapp.com/advisory/ntap-20230324-0001/"],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-3219","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpg-cd637b4dec7be710","name":"gpg","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpg:gpg:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpg@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2022-3219","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-3219","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2022-3219","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-3219","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2022-3219","https://bugzilla.redhat.com/show_bug.cgi?id=2127010","https://dev.gnupg.org/D556","https://dev.gnupg.org/T5993","https://marc.info/?l=oss-security&m=165696590211434&w=4","https://security.netapp.com/advisory/ntap-20230324-0001/"],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-3219","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpg-agent-4576e24fc7cc8670","name":"gpg-agent","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpg-agent:gpg-agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-agent:gpg_agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_agent:gpg-agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_agent:gpg_agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg-agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg_agent:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpg-agent@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2022-3219","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-3219","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2022-3219","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-3219","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2022-3219","https://bugzilla.redhat.com/show_bug.cgi?id=2127010","https://dev.gnupg.org/D556","https://dev.gnupg.org/T5993","https://marc.info/?l=oss-security&m=165696590211434&w=4","https://security.netapp.com/advisory/ntap-20230324-0001/"],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-3219","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpg-wks-client-6b2180724711c171","name":"gpg-wks-client","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpg-wks-client:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-wks-client:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks_client:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks_client:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-wks:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg-wks:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg_wks:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg-wks-client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*","cpe:2.3:a:gpg:gpg_wks_client:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpg-wks-client@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2022-3219","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-3219","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2022-3219","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-3219","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2022-3219","https://bugzilla.redhat.com/show_bug.cgi?id=2127010","https://dev.gnupg.org/D556","https://dev.gnupg.org/T5993","https://marc.info/?l=oss-security&m=165696590211434&w=4","https://security.netapp.com/advisory/ntap-20230324-0001/"],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-3219","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpgconf-3b5f9b632f61a80b","name":"gpgconf","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpgconf:gpgconf:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpgconf@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2022-3219","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-3219","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2022-3219","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-3219","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2022-3219","https://bugzilla.redhat.com/show_bug.cgi?id=2127010","https://dev.gnupg.org/D556","https://dev.gnupg.org/T5993","https://marc.info/?l=oss-security&m=165696590211434&w=4","https://security.netapp.com/advisory/ntap-20230324-0001/"],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-3219","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpgsm-fc93e5f8d49a08ff","name":"gpgsm","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpgsm:gpgsm:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpgsm@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2022-3219","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-3219","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2022-3219","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-3219","namespace":"nvd:cpe","severity":"Low","urls":["https://access.redhat.com/security/cve/CVE-2022-3219","https://bugzilla.redhat.com/show_bug.cgi?id=2127010","https://dev.gnupg.org/D556","https://dev.gnupg.org/T5993","https://marc.info/?l=oss-security&m=165696590211434&w=4","https://security.netapp.com/advisory/ntap-20230324-0001/"],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-3219","epss":0.00015,"percentile":0.03328,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-3219","cwe":"CWE-787","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"gnupg2","version":"2.4.7-21+deb13u1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2022-3219","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-gpgv-747a9fedcf815a7f","name":"gpgv","version":"2.4.7-21+deb13u1+b2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND CC0-1.0 AND LicenseRef-Expat AND GPL-2.0-or-later AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-RFC-Reference AND LicenseRef-TinySCHEME AND LicenseRef-permissive"],"cpes":["cpe:2.3:a:gpgv:gpgv:2.4.7-21\\+deb13u1\\+b2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gpgv@2.4.7-21%2Bdeb13u1%2Bb2?arch=arm64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1","upstreams":[{"name":"gnupg2","version":"2.4.7-21+deb13u1"}]}},{"vulnerability":{"id":"CVE-2026-3479","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3479","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.  pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.","cvss":[],"epss":[{"cve":"CVE-2026-3479","epss":0.00015,"percentile":0.03299,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3479","cwe":"CWE-22","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-3479","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3479","namespace":"nvd:cpe","severity":"Negligible","urls":["https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe","https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7","https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943","https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c","https://github.com/python/cpython/issues/146121","https://github.com/python/cpython/pull/146122","https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/"],"description":"DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.\n\npkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":0},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3479","epss":0.00015,"percentile":0.03299,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3479","cwe":"CWE-22","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3479","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-minimal-046b648e00b897c6","name":"libpython3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_minimal:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-3479","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3479","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.  pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.","cvss":[],"epss":[{"cve":"CVE-2026-3479","epss":0.00015,"percentile":0.03299,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3479","cwe":"CWE-22","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-3479","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3479","namespace":"nvd:cpe","severity":"Negligible","urls":["https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe","https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7","https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943","https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c","https://github.com/python/cpython/issues/146121","https://github.com/python/cpython/pull/146122","https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/"],"description":"DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.\n\npkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":0},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3479","epss":0.00015,"percentile":0.03299,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3479","cwe":"CWE-22","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3479","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpython3.13-stdlib-147f5a733fdb04d8","name":"libpython3.13-stdlib","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:libpython3.13-stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13-stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13_stdlib:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13-stdlib:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:libpython3.13:libpython3.13_stdlib:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-3479","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3479","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.  pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.","cvss":[],"epss":[{"cve":"CVE-2026-3479","epss":0.00015,"percentile":0.03299,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3479","cwe":"CWE-22","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-3479","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3479","namespace":"nvd:cpe","severity":"Negligible","urls":["https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe","https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7","https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943","https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c","https://github.com/python/cpython/issues/146121","https://github.com/python/cpython/pull/146122","https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/"],"description":"DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.\n\npkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":0},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3479","epss":0.00015,"percentile":0.03299,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3479","cwe":"CWE-22","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3479","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-499a45ff5be792b3","name":"python3.13","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13:python3.13:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13@3.13.5-2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-3479","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3479","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.  pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.","cvss":[],"epss":[{"cve":"CVE-2026-3479","epss":0.00015,"percentile":0.03299,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3479","cwe":"CWE-22","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007499999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-3479","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3479","namespace":"nvd:cpe","severity":"Negligible","urls":["https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe","https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7","https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943","https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c","https://github.com/python/cpython/issues/146121","https://github.com/python/cpython/pull/146122","https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/"],"description":"DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.\n\npkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.","cvss":[{"source":"cna@python.org","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":0},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3479","epss":0.00015,"percentile":0.03299,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3479","cwe":"CWE-22","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"python3.13","version":"3.13.5-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3479","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-python3.13-minimal-1f7114a391e22f8d","name":"python3.13-minimal","version":"3.13.5-2","type":"deb","locations":null,"language":"","licenses":["By AND GPL-2.0-only AND LicenseRef-Permission AND LicenseRef-Redistribution AND LicenseRef-This"],"cpes":["cpe:2.3:a:python3.13-minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13-minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13_minimal:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13-minimal:3.13.5-2:*:*:*:*:*:*:*","cpe:2.3:a:python3.13:python3.13_minimal:3.13.5-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=arm64&distro=debian-13&upstream=python3.13","upstreams":[{"name":"python3.13"}]}},{"vulnerability":{"id":"CVE-2026-32249","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-32249","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.","cvss":[],"epss":[{"cve":"CVE-2026-32249","epss":0.00014,"percentile":0.02732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32249","cwe":"CWE-476","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007},"relatedVulnerabilities":[{"id":"CVE-2026-32249","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-32249","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec","https://github.com/vim/vim/releases/tag/v9.2.0137","https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r"],"description":"Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-32249","epss":0.00014,"percentile":0.02732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32249","cwe":"CWE-476","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-32249","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-32249","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-32249","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.","cvss":[],"epss":[{"cve":"CVE-2026-32249","epss":0.00014,"percentile":0.02732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32249","cwe":"CWE-476","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007},"relatedVulnerabilities":[{"id":"CVE-2026-32249","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-32249","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec","https://github.com/vim/vim/releases/tag/v9.2.0137","https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r"],"description":"Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-32249","epss":0.00014,"percentile":0.02732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32249","cwe":"CWE-476","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-32249","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-32249","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-32249","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.","cvss":[],"epss":[{"cve":"CVE-2026-32249","epss":0.00014,"percentile":0.02732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32249","cwe":"CWE-476","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007},"relatedVulnerabilities":[{"id":"CVE-2026-32249","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-32249","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec","https://github.com/vim/vim/releases/tag/v9.2.0137","https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r"],"description":"Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":1.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-32249","epss":0.00014,"percentile":0.02732,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-32249","cwe":"CWE-476","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-32249","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2024-25260","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-25260","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.","cvss":[],"epss":[{"cve":"CVE-2024-25260","epss":0.00014,"percentile":0.02667,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-25260","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007},"relatedVulnerabilities":[{"id":"CVE-2024-25260","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-25260","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/schsiung/fuzzer_issues/issues/1","https://sourceware.org/bugzilla/show_bug.cgi?id=31058","https://sourceware.org/elfutils/"],"description":"elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4,"exploitabilityScore":2.6,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-25260","epss":0.00014,"percentile":0.02667,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-25260","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-25260","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libdw1t64-c1ee80f31f7dbed2","name":"libdw1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libdw1t64:libdw1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libdw1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2024-25260","dataSource":"https://security-tracker.debian.org/tracker/CVE-2024-25260","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.","cvss":[],"epss":[{"cve":"CVE-2024-25260","epss":0.00014,"percentile":0.02667,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-25260","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0007},"relatedVulnerabilities":[{"id":"CVE-2024-25260","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-25260","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/schsiung/fuzzer_issues/issues/1","https://sourceware.org/bugzilla/show_bug.cgi?id=31058","https://sourceware.org/elfutils/"],"description":"elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":4,"exploitabilityScore":2.6,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-25260","epss":0.00014,"percentile":0.02667,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2024-25260","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2024-25260","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libelf1t64-0cd60a52cc5d00d2","name":"libelf1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libelf1t64:libelf1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libelf1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2025-7519","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7519","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly.","cvss":[],"epss":[{"cve":"CVE-2025-7519","epss":0.00013,"percentile":0.02109,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7519","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00065},"relatedVulnerabilities":[{"id":"CVE-2025-7519","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7519","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2025-7519","https://bugzilla.redhat.com/show_bug.cgi?id=2379675","https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245","https://github.com/polkit-org/polkit/pull/570"],"description":"A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7519","epss":0.00013,"percentile":0.02109,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7519","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"policykit-1","version":"126-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7519","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpolkit-agent-1-0-f1731eb7f133c36d","name":"libpolkit-agent-1-0","version":"126-2","type":"deb","locations":null,"language":"","licenses":["Expat AND LGPL-2.0-only AND LGPL-2.0-or-later"],"cpes":["cpe:2.3:a:libpolkit-agent-1-0:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-agent-1-0:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent_1_0:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent_1_0:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-agent-1:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-agent-1:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent_1:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent_1:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-agent:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-agent:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_agent:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit:libpolkit-agent-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit:libpolkit_agent_1_0:126-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpolkit-agent-1-0@126-2?arch=arm64&distro=debian-13&upstream=policykit-1","upstreams":[{"name":"policykit-1"}]}},{"vulnerability":{"id":"CVE-2025-7519","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7519","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly.","cvss":[],"epss":[{"cve":"CVE-2025-7519","epss":0.00013,"percentile":0.02109,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7519","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00065},"relatedVulnerabilities":[{"id":"CVE-2025-7519","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7519","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2025-7519","https://bugzilla.redhat.com/show_bug.cgi?id=2379675","https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245","https://github.com/polkit-org/polkit/pull/570"],"description":"A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7519","epss":0.00013,"percentile":0.02109,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7519","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"policykit-1","version":"126-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7519","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libpolkit-gobject-1-0-60e058e81a86de11","name":"libpolkit-gobject-1-0","version":"126-2","type":"deb","locations":null,"language":"","licenses":["Expat AND LGPL-2.0-only AND LGPL-2.0-or-later"],"cpes":["cpe:2.3:a:libpolkit-gobject-1-0:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-gobject-1-0:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject_1_0:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject_1_0:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-gobject-1:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-gobject-1:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject_1:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject_1:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-gobject:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit-gobject:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit_gobject:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit:libpolkit-gobject-1-0:126-2:*:*:*:*:*:*:*","cpe:2.3:a:libpolkit:libpolkit_gobject_1_0:126-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libpolkit-gobject-1-0@126-2?arch=arm64&distro=debian-13&upstream=policykit-1","upstreams":[{"name":"policykit-1"}]}},{"vulnerability":{"id":"CVE-2025-7519","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-7519","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly.","cvss":[],"epss":[{"cve":"CVE-2025-7519","epss":0.00013,"percentile":0.02109,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7519","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00065},"relatedVulnerabilities":[{"id":"CVE-2025-7519","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7519","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2025-7519","https://bugzilla.redhat.com/show_bug.cgi?id=2379675","https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245","https://github.com/polkit-org/polkit/pull/570"],"description":"A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":6.7,"exploitabilityScore":0.8,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7519","epss":0.00013,"percentile":0.02109,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-7519","cwe":"CWE-787","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"policykit-1","version":"126-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-7519","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-polkitd-c3c2e4a91a094c40","name":"polkitd","version":"126-2","type":"deb","locations":null,"language":"","licenses":["Expat AND LGPL-2.0-only AND LGPL-2.0-or-later"],"cpes":["cpe:2.3:a:polkitd:polkitd:126-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/polkitd@126-2?arch=arm64&distro=debian-13&upstream=policykit-1","upstreams":[{"name":"policykit-1"}]}},{"vulnerability":{"id":"CVE-2025-1377","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1377","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1377","epss":0.00011,"percentile":0.01404,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1377","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00055},"relatedVulnerabilities":[{"id":"CVE-2025-1377","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1377","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15941","https://sourceware.org/bugzilla/show_bug.cgi?id=32673","https://sourceware.org/bugzilla/show_bug.cgi?id=32673#c2","https://vuldb.com/?ctiid.295985","https://vuldb.com/?id.295985","https://vuldb.com/?submit.497539","https://www.gnu.org/"],"description":"A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1377","epss":0.00011,"percentile":0.01404,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1377","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1377","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libdw1t64-c1ee80f31f7dbed2","name":"libdw1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libdw1t64:libdw1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libdw1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2025-1377","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1377","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1377","epss":0.00011,"percentile":0.01404,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1377","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00055},"relatedVulnerabilities":[{"id":"CVE-2025-1377","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1377","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15941","https://sourceware.org/bugzilla/show_bug.cgi?id=32673","https://sourceware.org/bugzilla/show_bug.cgi?id=32673#c2","https://vuldb.com/?ctiid.295985","https://vuldb.com/?id.295985","https://vuldb.com/?submit.497539","https://www.gnu.org/"],"description":"A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":4.8},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1.7,"exploitabilityScore":3.2,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1377","epss":0.00011,"percentile":0.01404,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1377","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1377","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libelf1t64-0cd60a52cc5d00d2","name":"libelf1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libelf1t64:libelf1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libelf1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2025-1376","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1376","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1376","epss":0.0001,"percentile":0.01178,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1376","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0005},"relatedVulnerabilities":[{"id":"CVE-2025-1376","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1376","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15940","https://sourceware.org/bugzilla/show_bug.cgi?id=32672","https://sourceware.org/bugzilla/show_bug.cgi?id=32672#c3","https://vuldb.com/?ctiid.295984","https://vuldb.com/?id.295984","https://vuldb.com/?submit.497538","https://www.gnu.org/"],"description":"A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:H/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1,"exploitabilityScore":1.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1376","epss":0.0001,"percentile":0.01178,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1376","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1376","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libdw1t64-c1ee80f31f7dbed2","name":"libdw1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libdw1t64:libdw1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libdw1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2025-1376","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-1376","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.","cvss":[],"epss":[{"cve":"CVE-2025-1376","epss":0.0001,"percentile":0.01178,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1376","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.0005},"relatedVulnerabilities":[{"id":"CVE-2025-1376","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-1376","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/attachment.cgi?id=15940","https://sourceware.org/bugzilla/show_bug.cgi?id=32672","https://sourceware.org/bugzilla/show_bug.cgi?id=32672#c3","https://vuldb.com/?ctiid.295984","https://vuldb.com/?id.295984","https://vuldb.com/?submit.497538","https://www.gnu.org/"],"description":"A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":4.7,"exploitabilityScore":1.1,"impactScore":3.6},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":2},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.5,"exploitabilityScore":1.1,"impactScore":1.5},"vendorMetadata":{}},{"source":"cna@vuldb.com","type":"Secondary","version":"2.0","vector":"AV:L/AC:H/Au:S/C:N/I:N/A:P","metrics":{"baseScore":1,"exploitabilityScore":1.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-1376","epss":0.0001,"percentile":0.01178,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-1376","cwe":"CWE-404","source":"cna@vuldb.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"elfutils","version":"0.192-4"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-1376","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libelf1t64-0cd60a52cc5d00d2","name":"libelf1t64","version":"0.192-4","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND GFDL-1.3-only AND LicenseRef-GFDL-NIV-1.3 AND GPL-2.0-only AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later"],"cpes":["cpe:2.3:a:libelf1t64:libelf1t64:0.192-4:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libelf1t64@0.192-4?arch=arm64&distro=debian-13&upstream=elfutils","upstreams":[{"name":"elfutils"}]}},{"vulnerability":{"id":"CVE-2026-1757","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-1757","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.","cvss":[],"epss":[{"cve":"CVE-2026-1757","epss":0.00009,"percentile":0.00935,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1757","cwe":"CWE-401","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00045},"relatedVulnerabilities":[{"id":"CVE-2026-1757","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-1757","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:7519","https://access.redhat.com/security/cve/CVE-2026-1757","https://bugzilla.redhat.com/show_bug.cgi?id=2435940","https://gitlab.gnome.org/GNOME/libxml2/-/issues/1009"],"description":"A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.2,"exploitabilityScore":2.6,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-1757","epss":0.00009,"percentile":0.00935,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-1757","cwe":"CWE-401","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-1757","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libxml2-5856779bb2cc8107","name":"libxml2","version":"2.12.7+dfsg+really2.9.14-2.1+deb13u2","type":"deb","locations":null,"language":"","licenses":["ISC AND LicenseRef-MIT-1"],"cpes":["cpe:2.3:a:libxml2:libxml2:2.12.7\\+dfsg\\+really2.9.14-2.1\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-69644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69644","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69644","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33639","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-69644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69644","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69644","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33639","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69644","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69644","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33639","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69644","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69644","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33639","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69644","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69644","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33639","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69644","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69644","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33639","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69644","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69644","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33639","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69644","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69644","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69644","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69644","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33639","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"],"description":"An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69644","epss":0.00007,"percentile":0.00649,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69644","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69644","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-14017","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14017","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers.  Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.","cvss":[],"epss":[{"cve":"CVE-2025-14017","epss":0.00007,"percentile":0.00624,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14017","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14017","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14017","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-14017.html","https://curl.se/docs/CVE-2025-14017.json","http://www.openwall.com/lists/oss-security/2026/01/07/3"],"description":"When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":6.3,"exploitabilityScore":1.1,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14017","epss":0.00007,"percentile":0.00624,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14017","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14017","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-14017","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14017","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers.  Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.","cvss":[],"epss":[{"cve":"CVE-2025-14017","epss":0.00007,"percentile":0.00624,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14017","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14017","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14017","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-14017.html","https://curl.se/docs/CVE-2025-14017.json","http://www.openwall.com/lists/oss-security/2026/01/07/3"],"description":"When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":6.3,"exploitabilityScore":1.1,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14017","epss":0.00007,"percentile":0.00624,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14017","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14017","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2025-14017","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14017","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers.  Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.","cvss":[],"epss":[{"cve":"CVE-2025-14017","epss":0.00007,"percentile":0.00624,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14017","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14017","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14017","namespace":"nvd:cpe","severity":"Medium","urls":["https://curl.se/docs/CVE-2025-14017.html","https://curl.se/docs/CVE-2025-14017.json","http://www.openwall.com/lists/oss-security/2026/01/07/3"],"description":"When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":6.3,"exploitabilityScore":1.1,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14017","epss":0.00007,"percentile":0.00624,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14017","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14017","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bsdextrautils-c23db0b188308a2a","name":"bsdextrautils","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:bsdextrautils:bsdextrautils:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bsdextrautils@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-bsdutils-e11ccc6cace058fe","name":"bsdutils","version":"1:2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:bsdutils:bsdutils:1\\:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/bsdutils@1%3A2.41-5?arch=arm64&distro=debian-13&upstream=util-linux%402.41-5","upstreams":[{"name":"util-linux","version":"2.41-5"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-eject-ea768bbeeffb7a52","name":"eject","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:eject:eject:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/eject@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-fdisk-ec3e750aea21e029","name":"fdisk","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:fdisk:fdisk:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/fdisk@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libblkid1-56b1dc826d98b9e9","name":"libblkid1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libblkid1:libblkid1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libblkid1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libfdisk1-bbbefcb8907b3bd7","name":"libfdisk1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libfdisk1:libfdisk1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libfdisk1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-liblastlog2-2-ad0e084a4ff7b411","name":"liblastlog2-2","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:liblastlog2-2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2-2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2_2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2_2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2:liblastlog2-2:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:liblastlog2:liblastlog2_2:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/liblastlog2-2@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libmount1-66459d6a2e55223e","name":"libmount1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libmount1:libmount1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libmount1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsmartcols1-92fb21c80f37cd86","name":"libsmartcols1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libsmartcols1:libsmartcols1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsmartcols1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libuuid1-fd028c3811b88694","name":"libuuid1","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:libuuid1:libuuid1:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libuuid1@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-login-b08f21232e226b47","name":"login","version":"1:4.16.0-2+really2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:login:login:1\\:4.16.0-2\\+really2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/login@1%3A4.16.0-2%2Breally2.41-5?arch=arm64&distro=debian-13&upstream=util-linux%402.41-5","upstreams":[{"name":"util-linux","version":"2.41-5"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-mount-2a84395d15f466a5","name":"mount","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:mount:mount:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/mount@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-rfkill-6166963bfe2df59a","name":"rfkill","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:rfkill:rfkill:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/rfkill@2.41-5?arch=arm64&distro=debian-13&upstream=util-linux","upstreams":[{"name":"util-linux"}]}},{"vulnerability":{"id":"CVE-2025-14104","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-14104","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-14104","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-14104","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/errata/RHSA-2026:1696","https://access.redhat.com/errata/RHSA-2026:1852","https://access.redhat.com/errata/RHSA-2026:1913","https://access.redhat.com/errata/RHSA-2026:2485","https://access.redhat.com/errata/RHSA-2026:2563","https://access.redhat.com/errata/RHSA-2026:2737","https://access.redhat.com/errata/RHSA-2026:2800","https://access.redhat.com/errata/RHSA-2026:3406","https://access.redhat.com/errata/RHSA-2026:4943","https://access.redhat.com/errata/RHSA-2026:7180","https://access.redhat.com/security/cve/CVE-2025-14104","https://bugzilla.redhat.com/show_bug.cgi?id=2419369"],"description":"A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.","cvss":[{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-14104","epss":0.00007,"percentile":0.00585,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-14104","cwe":"CWE-125","source":"secalert@redhat.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"util-linux","version":"2.41-5"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-14104","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-util-linux-ffaa6c8a5d0e2ea9","name":"util-linux","version":"2.41-5","type":"deb","locations":null,"language":"","licenses":["BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND LicenseRef-BSLA AND LicenseRef-Expat AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND ISC AND LicenseRef-LGPL AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:util-linux:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util-linux:util_linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util_linux:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util_linux:util_linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util:util-linux:2.41-5:*:*:*:*:*:*:*","cpe:2.3:a:util:util_linux:2.41-5:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/util-linux@2.41-5?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-69651","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69651","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69651","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69651","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69651","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-69651","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69651","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69651","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69651","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69651","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69651","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69651","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69651","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69651","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69651","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69651","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69651","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69651","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69651","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69651","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69651","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69651","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69651","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69651","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69651","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69651","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69651","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69651","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69651","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69651","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69651","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69651","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69651","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69651","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69651","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69651","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69651","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00035},"relatedVulnerabilities":[{"id":"CVE-2025-69651","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69651","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33698","https://sourceware.org/bugzilla/show_bug.cgi?id=33700","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=81e90cf63a10ad11772c2437c8f2a88f1a00c739","https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ea4bc025abdba85a90e26e13f551c16a44bfa92","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921"],"description":"GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69651","epss":0.00007,"percentile":0.00576,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69651","cwe":"CWE-476","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69651","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69646","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69646","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69646","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69646","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69646","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-69646","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69646","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69646","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69646","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69646","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69646","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69646","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69646","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69646","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69646","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69646","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69646","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69646","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69646","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69646","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69646","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69646","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69646","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69646","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69646","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69646","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69646","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69646","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69646","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69646","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69646","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69646","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69646","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69646","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69646","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69646","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69646","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69646","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69646","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33638","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69646","epss":0.00006,"percentile":0.00395,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69646","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69646","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69645","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69645","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69645","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69645","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33637","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cdb728d4da6184631989b192f1022c219dea7677"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69645","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2025-69645","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69645","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69645","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69645","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33637","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cdb728d4da6184631989b192f1022c219dea7677"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69645","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69645","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69645","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69645","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69645","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33637","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cdb728d4da6184631989b192f1022c219dea7677"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69645","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69645","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69645","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69645","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69645","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33637","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cdb728d4da6184631989b192f1022c219dea7677"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69645","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69645","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69645","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69645","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69645","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33637","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cdb728d4da6184631989b192f1022c219dea7677"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69645","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69645","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69645","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69645","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69645","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33637","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cdb728d4da6184631989b192f1022c219dea7677"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69645","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69645","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69645","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69645","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69645","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33637","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cdb728d4da6184631989b192f1022c219dea7677"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69645","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2025-69645","dataSource":"https://security-tracker.debian.org/tracker/CVE-2025-69645","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2025-69645","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-69645","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33637","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cdb728d4da6184631989b192f1022c219dea7677"],"description":"Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-69645","epss":0.00006,"percentile":0.00384,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2025-69645","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2025-69645","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3441","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3441","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3441","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3441","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3441","https://bugzilla.redhat.com/show_bug.cgi?id=2443826"],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3441","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-3442","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3442","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3442","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3442","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3442","https://bugzilla.redhat.com/show_bug.cgi?id=2443828"],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3442","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-3441","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3441","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3441","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3441","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3441","https://bugzilla.redhat.com/show_bug.cgi?id=2443826"],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3441","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3442","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3442","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3442","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3442","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3442","https://bugzilla.redhat.com/show_bug.cgi?id=2443828"],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3442","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3441","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3441","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3441","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3441","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3441","https://bugzilla.redhat.com/show_bug.cgi?id=2443826"],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3441","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3442","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3442","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3442","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3442","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3442","https://bugzilla.redhat.com/show_bug.cgi?id=2443828"],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3442","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3441","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3441","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3441","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3441","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3441","https://bugzilla.redhat.com/show_bug.cgi?id=2443826"],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3441","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3442","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3442","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3442","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3442","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3442","https://bugzilla.redhat.com/show_bug.cgi?id=2443828"],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3442","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3441","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3441","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3441","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3441","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3441","https://bugzilla.redhat.com/show_bug.cgi?id=2443826"],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3441","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3442","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3442","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3442","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3442","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3442","https://bugzilla.redhat.com/show_bug.cgi?id=2443828"],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3442","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3441","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3441","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3441","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3441","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3441","https://bugzilla.redhat.com/show_bug.cgi?id=2443826"],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3441","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3442","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3442","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3442","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3442","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3442","https://bugzilla.redhat.com/show_bug.cgi?id=2443828"],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3442","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3441","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3441","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3441","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3441","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3441","https://bugzilla.redhat.com/show_bug.cgi?id=2443826"],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3441","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3442","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3442","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3442","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3442","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3442","https://bugzilla.redhat.com/show_bug.cgi?id=2443828"],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3442","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3441","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3441","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3441","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3441","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3441","https://bugzilla.redhat.com/show_bug.cgi?id=2443826"],"description":"A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3441","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3441","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3441","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-3442","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-3442","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00030000000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-3442","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3442","namespace":"nvd:cpe","severity":"High","urls":["https://access.redhat.com/security/cve/CVE-2026-3442","https://bugzilla.redhat.com/show_bug.cgi?id=2443828"],"description":"A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3442","epss":0.00006,"percentile":0.00335,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-3442","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-3442","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6845","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6845","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00025},"relatedVulnerabilities":[{"id":"CVE-2026-6845","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6845","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6845","https://bugzilla.redhat.com/show_bug.cgi?id=2460012"],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6845","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-6845","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6845","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00025},"relatedVulnerabilities":[{"id":"CVE-2026-6845","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6845","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6845","https://bugzilla.redhat.com/show_bug.cgi?id=2460012"],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6845","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6845","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6845","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00025},"relatedVulnerabilities":[{"id":"CVE-2026-6845","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6845","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6845","https://bugzilla.redhat.com/show_bug.cgi?id=2460012"],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6845","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6845","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6845","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00025},"relatedVulnerabilities":[{"id":"CVE-2026-6845","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6845","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6845","https://bugzilla.redhat.com/show_bug.cgi?id=2460012"],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6845","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6845","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6845","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00025},"relatedVulnerabilities":[{"id":"CVE-2026-6845","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6845","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6845","https://bugzilla.redhat.com/show_bug.cgi?id=2460012"],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6845","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6845","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6845","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00025},"relatedVulnerabilities":[{"id":"CVE-2026-6845","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6845","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6845","https://bugzilla.redhat.com/show_bug.cgi?id=2460012"],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6845","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6845","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6845","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00025},"relatedVulnerabilities":[{"id":"CVE-2026-6845","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6845","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6845","https://bugzilla.redhat.com/show_bug.cgi?id=2460012"],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6845","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-6845","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6845","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00025},"relatedVulnerabilities":[{"id":"CVE-2026-6845","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6845","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-6845","https://bugzilla.redhat.com/show_bug.cgi?id=2460012"],"description":"A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.","cvss":[{"source":"secalert@redhat.com","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":5,"exploitabilityScore":1.4,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6845","epss":0.00005,"percentile":0.00269,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-6845","cwe":"CWE-476","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6845","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-28422","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28422","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.","cvss":[],"epss":[{"cve":"CVE-2026-28422","epss":0.00005,"percentile":0.00212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28422","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00025},"relatedVulnerabilities":[{"id":"CVE-2026-28422","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28422","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/vim/vim/commit/4e5b9e31cb7484ad156f","https://github.com/vim/vim/releases/tag/v9.2.0078","https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf","http://www.openwall.com/lists/oss-security/2026/02/27/11"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.2,"exploitabilityScore":0.8,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28422","epss":0.00005,"percentile":0.00212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28422","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28422","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-common-4367f69a05b82152","name":"vim-common","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_common:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-common:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_common:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-common@2%3A9.1.1230-2?arch=all&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28422","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28422","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.","cvss":[],"epss":[{"cve":"CVE-2026-28422","epss":0.00005,"percentile":0.00212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28422","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00025},"relatedVulnerabilities":[{"id":"CVE-2026-28422","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28422","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/vim/vim/commit/4e5b9e31cb7484ad156f","https://github.com/vim/vim/releases/tag/v9.2.0078","https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf","http://www.openwall.com/lists/oss-security/2026/02/27/11"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.2,"exploitabilityScore":0.8,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28422","epss":0.00005,"percentile":0.00212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28422","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28422","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-vim-tiny-5c7c847083c4bd87","name":"vim-tiny","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:vim-tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim-tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim_tiny:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim-tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*","cpe:2.3:a:vim:vim_tiny:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/vim-tiny@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-28422","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-28422","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.","cvss":[],"epss":[{"cve":"CVE-2026-28422","epss":0.00005,"percentile":0.00212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28422","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00025},"relatedVulnerabilities":[{"id":"CVE-2026-28422","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-28422","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/vim/vim/commit/4e5b9e31cb7484ad156f","https://github.com/vim/vim/releases/tag/v9.2.0078","https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf","http://www.openwall.com/lists/oss-security/2026/02/27/11"],"description":"Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N","metrics":{"baseScore":2.2,"exploitabilityScore":0.8,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-28422","epss":0.00005,"percentile":0.00212,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-28422","cwe":"CWE-121","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"vim","version":"2:9.1.1230-2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-28422","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-xxd-6f3fa221d952a513","name":"xxd","version":"2:9.1.1230-2","type":"deb","locations":null,"language":"","licenses":["Apache AND Apache-2.0 AND LicenseRef-Artistic AND Artistic-1.0 AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Compaq AND LicenseRef-EDL-1 AND LicenseRef-Expat AND GPL-1.0-only AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-OPL-1- AND LicenseRef-UC AND Unlicense AND Vim AND LicenseRef-Vim-Regexp AND X11 AND LicenseRef-XPM AND LicenseRef-public-domain"],"cpes":["cpe:2.3:a:xxd:xxd:2\\:9.1.1230-2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/xxd@2%3A9.1.1230-2?arch=arm64&distro=debian-13&upstream=vim","upstreams":[{"name":"vim"}]}},{"vulnerability":{"id":"CVE-2026-4647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00020000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-4647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4647","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4647","https://bugzilla.redhat.com/show_bug.cgi?id=2450302","https://sourceware.org/bugzilla/show_bug.cgi?id=33919"],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-94401015b7d6f1f9","name":"binutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils:binutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils@2.44-3?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-4647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00020000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-4647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4647","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4647","https://bugzilla.redhat.com/show_bug.cgi?id=2450302","https://sourceware.org/bugzilla/show_bug.cgi?id=33919"],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-aarch64-linux-gnu-f2f09aff3cdea452","name":"binutils-aarch64-linux-gnu","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-aarch64-linux-gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux-gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux_gnu:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64-linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64_linux:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_aarch64:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-aarch64-linux-gnu:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_aarch64_linux_gnu:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-aarch64-linux-gnu@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-4647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00020000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-4647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4647","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4647","https://bugzilla.redhat.com/show_bug.cgi?id=2450302","https://sourceware.org/bugzilla/show_bug.cgi?id=33919"],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-binutils-common-4383c0f0dbb5f193","name":"binutils-common","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:binutils-common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils-common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils_common:binutils_common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils-common:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:binutils:binutils_common:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/binutils-common@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-4647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00020000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-4647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4647","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4647","https://bugzilla.redhat.com/show_bug.cgi?id=2450302","https://sourceware.org/bugzilla/show_bug.cgi?id=33919"],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libbinutils-5b9860305624db39","name":"libbinutils","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libbinutils:libbinutils:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libbinutils@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-4647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00020000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-4647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4647","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4647","https://bugzilla.redhat.com/show_bug.cgi?id=2450302","https://sourceware.org/bugzilla/show_bug.cgi?id=33919"],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf-nobfd0-d52820243603eced","name":"libctf-nobfd0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf-nobfd0:2.44-3:*:*:*:*:*:*:*","cpe:2.3:a:libctf:libctf_nobfd0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf-nobfd0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-4647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00020000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-4647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4647","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4647","https://bugzilla.redhat.com/show_bug.cgi?id=2450302","https://sourceware.org/bugzilla/show_bug.cgi?id=33919"],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libctf0-20f434c3117ab9e2","name":"libctf0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libctf0:libctf0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libctf0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-4647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00020000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-4647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4647","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4647","https://bugzilla.redhat.com/show_bug.cgi?id=2450302","https://sourceware.org/bugzilla/show_bug.cgi?id=33919"],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libgprofng0-3bd71aeb7bab658d","name":"libgprofng0","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libgprofng0:libgprofng0:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libgprofng0@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-4647","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4647","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.00020000000000000004},"relatedVulnerabilities":[{"id":"CVE-2026-4647","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4647","namespace":"nvd:cpe","severity":"Medium","urls":["https://access.redhat.com/security/cve/CVE-2026-4647","https://bugzilla.redhat.com/show_bug.cgi?id=2450302","https://sourceware.org/bugzilla/show_bug.cgi?id=33919"],"description":"A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}},{"source":"secalert@redhat.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4647","epss":0.00004,"percentile":0.002,"date":"2026-04-29"}],"cwes":[{"cve":"CVE-2026-4647","cwe":"CWE-125","source":"secalert@redhat.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"binutils","version":"2.44-3"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4647","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libsframe1-fc8a3ede3420cb30","name":"libsframe1","version":"2.44-3","type":"deb","locations":null,"language":"","licenses":["GFDL AND LicenseRef-GPL AND LicenseRef-LGPL"],"cpes":["cpe:2.3:a:libsframe1:libsframe1:2.44-3:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libsframe1@2.44-3?arch=arm64&distro=debian-13&upstream=binutils","upstreams":[{"name":"binutils"}]}},{"vulnerability":{"id":"CVE-2026-2574","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-2574","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"cvss":[],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-2574","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib-networking","version":"2.80.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-2574","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-glib-networking-bf0f6ae664cbde32","name":"glib-networking","version":"2.80.1-1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:glib-networking:glib-networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib_networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib-networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib_networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib-networking:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib_networking:2.80.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/glib-networking@2.80.1-1?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-2574","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-2574","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"cvss":[],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-2574","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib-networking","version":"2.80.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-2574","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-glib-networking-common-be064f536c9d2a66","name":"glib-networking-common","version":"2.80.1-1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:glib-networking-common:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking-common:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_common:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_common:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib-networking-common:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib_networking_common:2.80.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/glib-networking-common@2.80.1-1?arch=all&distro=debian-13&upstream=glib-networking","upstreams":[{"name":"glib-networking"}]}},{"vulnerability":{"id":"CVE-2026-2574","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-2574","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"cvss":[],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-2574","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glib-networking","version":"2.80.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-2574","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-glib-networking-services-b92ebcebb892237e","name":"glib-networking-services","version":"2.80.1-1","type":"deb","locations":null,"language":"","licenses":["LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later"],"cpes":["cpe:2.3:a:glib-networking-services:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking-services:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_services:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking_services:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib-networking:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib_networking:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib-networking-services:2.80.1-1:*:*:*:*:*:*:*","cpe:2.3:a:glib:glib_networking_services:2.80.1-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/glib-networking-services@2.80.1-1?arch=arm64&distro=debian-13&upstream=glib-networking","upstreams":[{"name":"glib-networking"}]}},{"vulnerability":{"id":"CVE-2026-4873","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4873","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-4873","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4873","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-5545","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5545","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-5545","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5545","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-5773","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5773","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-5773","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5773","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-6253","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6253","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-6253","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6253","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-6276","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6276","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-6276","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6276","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-6429","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6429","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-6429","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6429","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-7168","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-7168","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-7168","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-7168","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-curl-3ccde94d10bd3577","name":"curl","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:curl:curl:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-4873","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4873","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-4873","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4873","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-5545","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5545","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-5545","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5545","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-5773","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5773","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-5773","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5773","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-6253","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6253","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-6253","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6253","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-6276","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6276","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-6276","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6276","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-6429","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6429","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-6429","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6429","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-7168","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-7168","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-7168","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-7168","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl3t64-gnutls-bafd0de8363f82b9","name":"libcurl3t64-gnutls","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64-gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64_gnutls:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64-gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*","cpe:2.3:a:libcurl3t64:libcurl3t64_gnutls:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-4873","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4873","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-4873","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4873","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-5545","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5545","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-5545","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5545","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-5773","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5773","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-5773","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5773","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-6253","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6253","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-6253","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6253","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-6276","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6276","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-6276","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6276","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-6429","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6429","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-6429","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6429","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-7168","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-7168","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-7168","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"curl","version":"8.14.1-2+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-7168","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-libcurl4t64-0f4c746de9ba6ba4","name":"libcurl4t64","version":"8.14.1-2+deb13u2","type":"deb","locations":null,"language":"","licenses":["BSD-3-Clause AND BSD-3-Clause AND BSD-4-Clause-UC AND FSFULLR AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ISC AND OLDAP-2.8 AND X11 AND curl"],"cpes":["cpe:2.3:a:libcurl4t64:libcurl4t64:8.14.1-2\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=arm64&distro=debian-13&upstream=curl","upstreams":[{"name":"curl"}]}},{"vulnerability":{"id":"CVE-2026-40556","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-40556","namespace":"debian:distro:debian:13","severity":"Unknown","urls":[],"description":"GNU nano creates the user’s ~/.local directory with overly permissive permissions when the directory does not exist yet. On first use of features requiring Cross-Desktop Group (XDG) data storage, nano explicitly requests directory mode 0777, making the directory world‑writable in environments where the process umask does not sufficiently restrict permissions. In systems with a relaxed or zero umask, such as container environments, CI/CD runners, embedded systems, or user shells configured with umask 000, this results in ~/.local being created as world‑writable. A local attacker can exploit a race window between nano’s creation of ~/.local and its subsequent creation of more restrictive subdirectories to write attacker‑controlled files into the victim’s XDG directory hierarchy.  This problem was fixed in nano version 9.0","cvss":[],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-40556","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-40556","namespace":"nvd:cpe","severity":"Unknown","urls":[],"description":"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.","cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"nano","version":"8.4-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-40556","versionConstraint":"none (unknown)"}}],"artifact":{"id":"Package-deb-nano-0906c22c973e82bb","name":"nano","version":"8.4-1","type":"deb","locations":null,"language":"","licenses":["GFDL-1.2-only AND LicenseRef-GFDL-NIV- AND GPL-3.0-only AND GPL-3.0-or-later"],"cpes":["cpe:2.3:a:nano:nano:8.4-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/nano@8.4-1?arch=arm64&distro=debian-13","upstreams":[]}}],"source":{"type":"directory","target":"260430-9de583eb533e-revpi-trixie-arm64-lite"},"distro":{"name":"debian","version":"13","idLike":["debian"]},"descriptor":{"name":"grype","version":"0.111.1","configuration":{"output":["json=/builds/revolutionpi/debos-build/build/vuln-260430-9de583eb533e-revpi-trixie-arm64-lite.json"],"file":"","pretty":false,"distro":"","add-cpes-if-none":false,"output-template-file":"","check-for-app-update":true,"only-fixed":false,"only-notfixed":false,"ignore-wontfix":"","platform":"","search":{"scope":"squashed","unindexed-archives":false,"indexed-archives":true},"ignore":[{"vulnerability":"","include-aliases":false,"reason":"","namespace":"","fix-state":"","package":{"name":"kernel-headers","version":"","language":"","type":"rpm","location":"","upstream-name":"kernel"},"vex-status":"","vex-justification":"","match-type":"exact-indirect-match"},{"vulnerability":"","include-aliases":false,"reason":"","namespace":"","fix-state":"","package":{"name":"linux(-.*)?-headers-.*","version":"","language":"","type":"deb","location":"","upstream-name":"linux.*"},"vex-status":"","vex-justification":"","match-type":"exact-indirect-match"},{"vulnerability":"","include-aliases":false,"reason":"","namespace":"","fix-state":"","package":{"name":"linux-libc-dev","version":"","language":"","type":"deb","location":"","upstream-name":"linux"},"vex-status":"","vex-justification":"","match-type":"exact-indirect-match"}],"exclude":[],"externalSources":{"enable":false,"maven":{"searchUpstreamBySha1":true,"baseUrl":"https://search.maven.org/solrsearch/select","rateLimit":300000000}},"match":{"java":{"using-cpes":false},"jvm":{"using-cpes":true},"dotnet":{"using-cpes":false},"golang":{"using-cpes":false,"always-use-cpe-for-stdlib":true,"allow-main-module-pseudo-version-comparison":false},"javascript":{"using-cpes":false},"python":{"using-cpes":false},"ruby":{"using-cpes":false},"rust":{"using-cpes":false},"hex":{"using-cpes":false},"stock":{"using-cpes":true},"dpkg":{"using-cpes":false,"missing-epoch-strategy":"zero","use-cpes-for-eol":false},"rpm":{"using-cpes":false,"missing-epoch-strategy":"auto","use-cpes-for-eol":false}},"fail-on-severity":"","registry":{"insecure-skip-tls-verify":false,"insecure-use-http":false,"ca-cert":""},"show-suppressed":false,"by-cve":false,"SortBy":{"sort-by":"risk"},"name":"","default-image-pull-source":"","from":null,"vex-documents":[],"vex-add":[],"match-upstream-kernel-headers":false,"fix-channel":{"redhat-eus":{"apply":"auto","versions":">= 8.0"}},"timestamp":true,"alerts":{"enable-eol-distro-warnings":true},"db":{"cache-dir":"/root/.cache/grype/db","update-url":"https://grype.anchore.io/databases","ca-cert":"","auto-update":true,"validate-by-hash-on-start":true,"validate-age":true,"max-allowed-built-age":432000000000000,"require-update-check":false,"update-available-timeout":30000000000,"update-download-timeout":300000000000,"max-update-check-frequency":7200000000000},"exp":{},"dev":{"db":{"debug":false}}},"db":{"status":{"schemaVersion":"v6.1.4","from":"https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.4_2026-04-30T00:44:46Z_1777533096.tar.zst?checksum=sha256%3A129598b42fefea95ad6c61ee5f9458c335e5d8867a860d298a6e53f1b6e77faf","built":"2026-04-30T07:11:36Z","path":"/root/.cache/grype/db/6/vulnerability.db","valid":true},"providers":{"alma":{"captured":"2026-04-30T00:45:01Z","input":"xxh64:5296ae476efa3d20"},"alpine":{"captured":"2026-04-30T00:45:04Z","input":"xxh64:11b2b2a829f4e799"},"amazon":{"captured":"2026-04-30T00:45:07Z","input":"xxh64:4882fc52a95e9861"},"arch":{"captured":"2026-04-30T00:44:59Z","input":"xxh64:226aff31bb581d34"},"bitnami":{"captured":"2026-04-30T00:45:01Z","input":"xxh64:53e75489793fca54"},"chainguard":{"captured":"2026-04-30T00:45:12Z","input":"xxh64:799ce46512343b4c"},"chainguard-libraries":{"captured":"2026-04-30T00:45:01Z","input":"xxh64:56913e717f7928b0"},"debian":{"captured":"2026-04-30T00:44:57Z","input":"xxh64:ec78408260ad0b8e"},"echo":{"captured":"2026-04-30T00:45:00Z","input":"xxh64:7af387a838e6bf09"},"eol":{"captured":"2026-04-30T00:45:13Z","input":"xxh64:8a60ecedcb38dfa8"},"epss":{"captured":"2026-04-30T00:45:11Z","input":"xxh64:eb3669a2caaad07f"},"fedora":{"captured":"2026-04-30T00:44:59Z","input":"xxh64:d87b49515d30ba63"},"github":{"captured":"2026-04-30T00:45:15Z","input":"xxh64:ec364f8365b828c3"},"hummingbird":{"captured":"2026-04-30T00:45:23Z","input":"xxh64:dee2adf90daf634d"},"kev":{"captured":"2026-04-30T00:45:03Z","input":"xxh64:03f1871a6841ffc3"},"mariner":{"captured":"2026-04-30T00:45:08Z","input":"xxh64:0c9b10890428a982"},"minimos":{"captured":"2026-04-30T00:45:20Z","input":"xxh64:159be84c58ccfae1"},"nvd":{"captured":"2026-04-30T00:45:12Z","input":"xxh64:5731e79e1fc986a6"},"oracle":{"captured":"2026-04-30T00:45:58Z","input":"xxh64:2c349c03d3697e70"},"photon":{"captured":"2026-04-30T00:45:10Z","input":"xxh64:72d66659a21aa0e5"},"rhel":{"captured":"2026-04-30T00:45:31Z","input":"xxh64:59f7218861cbbcad"},"secureos":{"captured":"2026-04-30T00:44:52Z","input":"xxh64:cc9c129aff20f975"},"sles":{"captured":"2026-04-30T00:44:46Z","input":"xxh64:ef64353f91918b90"},"ubuntu":{"captured":"2026-04-30T00:52:48Z","input":"xxh64:e5171478df520a52"},"wolfi":{"captured":"2026-04-30T00:44:59Z","input":"xxh64:e0f19bdb221c40dc"}}},"timestamp":"2026-04-30T13:07:55.17241816Z"}}