Network Services Group

Network Services Group https://validator.w3.org/feed/docs/rss2.html Blog CVE-2026-21717 A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Transforming online retail through cloud order management systems CVE-2026-39829 Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh CVE-2026-39821 Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna CVE-2026-39835 Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh CVE-2025-23167 A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `rnrX` instead of the required `rnrn`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade. CVE-2024-36137 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the –allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. CVE-2026-40034 gitoxide – Command Injection via Partial .gitmodules Override in gix-submodule CVE-2026-44839 RabbitMQ: Unsanitized vhost names allow for XSS in management UI CVE-2025-15649 IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date CVE-2026-48962 IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob CVE-2026-28387 Potential Use-after-free in DANE Client Code CVE-2026-28388 NULL Pointer Dereference When Processing a Delta CRL CVE-2026-34874 An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0.0. There is a NULL pointer dereference in distinguished name parsing that allows an attacker to write to address 0. Keep your Mac safe from modern ransomware threats CVE-2026-43619 Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls How MTD boosts Android devices’ security 5 Ways softphones help businesses work smarter CVE-2024-22018 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the –allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. 7 Windows 11 features SMBs should use Welcome to Network Services Group CVE-2026-25833 Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow in the x509_inet_pton_ipv6() function CVE-2026-41054 Missing exit out of permission check in haveged could lead to root exploit CVE-2025-68768 inet: frags: flush pending skbs in fqdir_pre_exit() CVE-2026-42944 Heap overflow with multiple NSID, COOKIE, PADDING EDNS options CVE-2026-42923 Degradation of service with unbounded NSEC3 hash calculations CVE-2025-38096 wifi: iwlwifi: don't warn when if there is a FW error CVE-2026-40622 Another 'ghost domain names' attack variant CVE-2025-38140 dm: limit swapping tables for devices with zone write plugs CVE-2026-42534 Jostle logic bypass degrades resolution performance Elevating search rankings through smart image optimization CVE-2026-25834 Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade. CVE-2026-41292 Long list of incoming EDNS options degrades performance CVE-2026-33278 Possible arbitrary code execution during DNSSEC validation CVE-2026-41035 In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka –xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable. CVE-2026-44608 Use after free and crash under special conditions in RPZ code CVE-2026-42959 Crash during DNSSEC validation of malicious content CVE-2026-42960 Possible cache poisoning via promiscuous records for the authority section CVE-2026-32792 Packet of death with DNSCrypt CVE-2026-34872 An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and TF-PSA-Crypto 1.0. There is a lack of contributory behavior in FFDH due to improper input validation. Using finite-field Diffie-Hellman, the other party can force the shared secret into a small set of values (lack of contributory behavior). This is a problem for protocols that depend on contributory behavior (which is not the case for TLS). The attack can be carried by the peer, or depending on the protocol by an active network attacker (person in the middle). CVE-2026-34871 An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-Random Number Generator (PRNG). CVE-2026-44673 libyang: lyb_read_string() integer overflow → heap buffer overflow CVE-2026-7210 The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection CVE-2026-34873 An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session. CVE-2026-44390 Unbounded name compression in certain cases causes degradation of service CVE-2026-43352 i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue CVE-2026-31717 ksmbd: validate owner of durable handle on reconnect CVE-2025-51480 Path Traversal vulnerability in onnx.external_data_helper.save_external_data in ONNX 1.17.0 allows attackers to overwrite arbitrary files by supplying crafted external_data.location paths containing traversal sequences, bypassing intended directory restrictions.