1 week ago
It was discovered that Cyborg did not properly enforce project ownership in
the Accelerator Request (ARQ) API. An authenticated user could possibly use
this issue to delete ARQs bound to other projects' instances, resulting in
a cross-tenant denial of service. (CVE-2026-40214)
It was discovered that Cyborg used a permissive default policy that
authorized any request carrying a valid authentication token, regardless of
roles or scope, for multiple API endpoints. An authenticated user could
possibly use this issue to perform unauthorized actions, such as
reprogramming FPGA bitstreams on arbitrary compute nodes. (CVE-2026-40213)
1 week ago
FEDORA-EPEL-2026-2d971fc3b0
Packages in this update:
- ImageMagick-6.9.13.49-1.el9
Update description:
Summary
This update fixes several security vulnerabilities, including multiple
high-severity CVEs:
Security fixes
- CVE-2026-33901 (High) — Heap buffer overflow in the MVG decoder that
could result in an out-of-bounds write when processing a crafted image.
- CVE-2026-33908 (High) — Recursive DestroyXMLTree() call with no depth
limit causes stack exhaustion when processing deeply nested XML structures,
resulting in a Denial of Service (DoS).
- CVE-2026-40310 (High) — Heap out-of-bounds write in the JP2 encoder
triggered when a user specifies an invalid sampling index.
Additional security and bug fixes are included in the upstream releases
between 6.9.13.25 and 6.9.13.49. See the upstream release history at:
https://github.com/ImageMagick/ImageMagick6/releases
1 week ago
FEDORA-EPEL-2026-fb9a9ab1e9
Packages in this update:
- ImageMagick-6.9.13.49-1.el8
Update description:
Summary
This update fixes several security vulnerabilities, including multiple
high-severity CVEs:
Security fixes
- CVE-2026-33901 (High) — Heap buffer overflow in the MVG decoder that
could result in an out-of-bounds write when processing a crafted image.
- CVE-2026-33908 (High) — Recursive DestroyXMLTree() call with no depth
limit causes stack exhaustion when processing deeply nested XML structures,
resulting in a Denial of Service (DoS).
- CVE-2026-40310 (High) — Heap out-of-bounds write in the JP2 encoder
triggered when a user specifies an invalid sampling index.
Additional security and bug fixes are included in the upstream releases
between 6.9.13.25 and 6.9.13.49. See the upstream release history at:
https://github.com/ImageMagick/ImageMagick6/releases
1 week ago
It was discovered that Lodash was vulnerable to a prototype pollution
issue in the zipObjectDeep function. An attacker could possibly use this
issue to modify application behavior. This issue only affected Ubuntu
18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203)
Liyuan Chen discovered that Lodash was vulnerable to a regular
expression denial of service issue in the toNumber, trim, and trimEnd
functions. An attacker could possibly use this issue to consume
excessive system resources, resulting in a denial of service. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28500)
Marc Hassan discovered that Lodash did not properly sanitize input to
the template function. An attacker could possibly use this issue to
inject and execute arbitrary commands. This issue only affected Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-23337)
It was discovered that Lodash was vulnerable to a prototype pollution
issue in the unset and omit functions. An attacker could possibly use
this issue to delete properties from global prototypes, resulting in
security restrictions being bypassed. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and
Ubuntu 25.10. (CVE-2025-13465)
It was discovered that Lodash was vulnerable to a prototype pollution
issue in the unset and omit functions. An attacker could possibly use
this issue to delete properties from built-in prototypes, resulting in
security restrictions being bypassed. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu
25.10, and Ubuntu 26.04 LTS. (CVE-2026-2950)
It was discovered that Lodash did not properly validate certain inputs
to the template function. An attacker could possibly use this issue to
inject malicious code during template processing, resulting in arbitrary
code execution. (CVE-2026-4800)
1 week ago
USN-8044-1 fixed a vulnerability in alsa-lib. This update provides the
corresponding fix for alsa-lib on Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that alsa-lib incorrectly handled the topology mixer
control decoder. A local attacker could use a specially crafted topology
file to cause alsa-lib to crash, resulting in a denial of service, or
possibly execute arbitrary code.