Dangerzone Security Dashboard
- Target
- ghcr.io/freedomofpress/dangerzone/v1:latest
- Type
- image
- Checksum
- sha256:3b611198ea4f56cd6365fc58431c71d9850d7a6b0785d45b32e4c3a5ee0990af
- Date
- 2026-02-27T04:20:23.161653257Z
Critical
1
High
27
Medium
116
Low
14
Unknown
0
| Name | Version | Type | Vulnerability | Severity | State | Fixed In | Description | Related URLs | PURL |
|---|---|---|---|---|---|---|---|---|---|
| login.defs | 1:4.17.4-2 | deb | CVE-2024-56433 | Low | wont-fix | N/A | shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. | [] | pkg:deb/debian/login.defs@1%3A4.17.4-2?arch=all&distro=debian-13&upstream=shadow |
| passwd | 1:4.17.4-2 | deb | CVE-2024-56433 | Low | wont-fix | N/A | shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. | [] | pkg:deb/debian/passwd@1%3A4.17.4-2?arch=amd64&distro=debian-13&upstream=shadow |
| libpoppler147 | 25.03.0-5+deb13u2 | deb | CVE-2019-9543 | Low | wont-fix | N/A | An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JArithmeticDecoder::decodeBit. | [] | pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler |
| libmupdf25.1 | 1.25.1+ds1-6 | deb | CVE-2025-46206 | Medium | wont-fix | N/A | An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion | [] | pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6?arch=amd64&distro=debian-13&upstream=mupdf |
| python3-mupdf | 1.25.1+ds1-6 | deb | CVE-2025-46206 | Medium | wont-fix | N/A | An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion | [] | pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6?arch=amd64&distro=debian-13&upstream=mupdf |
| libpython3.13 | 3.13.5-2 | deb | CVE-2025-8194 | High | wont-fix | N/A | There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2025-8194 | High | wont-fix | N/A | There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2025-8194 | High | wont-fix | N/A | There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2 | deb | CVE-2025-8194 | High | wont-fix | N/A | There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2025-8194 | High | wont-fix | N/A | There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpoppler147 | 25.03.0-5+deb13u2 | deb | CVE-2019-9545 | Low | wont-fix | N/A | An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JBIG2Bitmap::clearToZero. | [] | pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler |
| libopenjp2-7 | 2.5.3-2.1~deb13u1 | deb | CVE-2019-6988 | Low | wont-fix | N/A | An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers to cause a denial of service (attempted excessive memory allocation) in opj_calloc in openjp2/opj_malloc.c, when called from opj_tcd_init_tile in openjp2/tcd.c, as demonstrated by the 64-bit opj_decompress. | [] | pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u1?arch=amd64&distro=debian-13&upstream=openjpeg2 |
| libpython3.13 | 3.13.5-2 | deb | CVE-2025-6069 | Medium | wont-fix | N/A | The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2025-6069 | Medium | wont-fix | N/A | The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2025-6069 | Medium | wont-fix | N/A | The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2 | deb | CVE-2025-6069 | Medium | wont-fix | N/A | The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2025-6069 | Medium | wont-fix | N/A | The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13 | 3.13.5-2 | deb | CVE-2026-0672 | Medium | wont-fix | N/A | When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2026-0672 | Medium | wont-fix | N/A | When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2026-0672 | Medium | wont-fix | N/A | When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2 | deb | CVE-2026-0672 | Medium | wont-fix | N/A | When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2026-0672 | Medium | wont-fix | N/A | When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13 | 3.13.5-2 | deb | CVE-2026-0865 | Medium | wont-fix | N/A | User-controlled header names and values containing newlines can allow injecting HTTP headers. | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2026-0865 | Medium | wont-fix | N/A | User-controlled header names and values containing newlines can allow injecting HTTP headers. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2026-0865 | Medium | wont-fix | N/A | User-controlled header names and values containing newlines can allow injecting HTTP headers. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2 | deb | CVE-2026-0865 | Medium | wont-fix | N/A | User-controlled header names and values containing newlines can allow injecting HTTP headers. | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2026-0865 | Medium | wont-fix | N/A | User-controlled header names and values containing newlines can allow injecting HTTP headers. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libcairo2 | 1.18.4-1+b1 | deb | CVE-2017-7475 | Low | wont-fix | N/A | Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash. | [] | pkg:deb/debian/libcairo2@1.18.4-1%2Bb1?arch=amd64&distro=debian-13&upstream=cairo%401.18.4-1 |
| libpython3.13 | 3.13.5-2 | deb | CVE-2025-8291 | Medium | wont-fix | N/A | The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2025-8291 | Medium | wont-fix | N/A | The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2025-8291 | Medium | wont-fix | N/A | The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2 | deb | CVE-2025-8291 | Medium | wont-fix | N/A | The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2025-8291 | Medium | wont-fix | N/A | The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libopenjp2-7 | 2.5.3-2.1~deb13u1 | deb | CVE-2023-39329 | Medium | wont-fix | N/A | A flaw was found in OpenJPEG. A resource exhaustion can occur in the opj_t1_decode_cblks function in tcd.c through a crafted image file, causing a denial of service. | [] | pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u1?arch=amd64&distro=debian-13&upstream=openjpeg2 |
| libpython3.13 | 3.13.5-2 | deb | CVE-2025-15366 | Medium | wont-fix | N/A | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13 | 3.13.5-2 | deb | CVE-2025-15367 | Medium | wont-fix | N/A | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2025-15366 | Medium | wont-fix | N/A | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2025-15367 | Medium | wont-fix | N/A | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2025-15366 | Medium | wont-fix | N/A | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2025-15367 | Medium | wont-fix | N/A | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2 | deb | CVE-2025-15366 | Medium | wont-fix | N/A | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13 | 3.13.5-2 | deb | CVE-2025-15367 | Medium | wont-fix | N/A | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2025-15366 | Medium | wont-fix | N/A | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2025-15367 | Medium | wont-fix | N/A | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpng16-16t64 | 1.6.48-1+deb13u1 | deb | CVE-2026-25646 | High | fixed |
|
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55. | [] | pkg:deb/debian/libpng16-16t64@1.6.48-1%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=libpng1.6 |
| libtasn1-6 | 4.20.0-2 | deb | CVE-2025-13151 | High | wont-fix | N/A | Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. | [] | pkg:deb/debian/libtasn1-6@4.20.0-2?arch=amd64&distro=debian-13 |
| libavahi-client3 | 0.8-16 | deb | CVE-2024-52616 | Medium | wont-fix | N/A | A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2024-52616 | Medium | wont-fix | N/A | A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2024-52616 | Medium | wont-fix | N/A | A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libc-bin | 2.41-12+deb13u1 | deb | CVE-2025-15281 | High | wont-fix | N/A | Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. | [] | pkg:deb/debian/libc-bin@2.41-12%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=glibc |
| libc6 | 2.41-12+deb13u1 | deb | CVE-2025-15281 | High | wont-fix | N/A | Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. | [] | pkg:deb/debian/libc6@2.41-12%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=glibc |
| libexpat1 | 2.7.1-2 | deb | CVE-2025-59375 | High | wont-fix | N/A | libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| libmupdf25.1 | 1.25.1+ds1-6 | deb | CVE-2025-55780 | High | wont-fix | N/A | A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain. | [] | pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6?arch=amd64&distro=debian-13&upstream=mupdf |
| python3-mupdf | 1.25.1+ds1-6 | deb | CVE-2025-55780 | High | wont-fix | N/A | A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain. | [] | pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6?arch=amd64&distro=debian-13&upstream=mupdf |
| libmupdf25.1 | 1.25.1+ds1-6 | deb | CVE-2026-25556 | High | wont-fix | N/A | MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. | [] | pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6?arch=amd64&distro=debian-13&upstream=mupdf |
| python3-mupdf | 1.25.1+ds1-6 | deb | CVE-2026-25556 | High | wont-fix | N/A | MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. | [] | pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6?arch=amd64&distro=debian-13&upstream=mupdf |
| libglib2.0-0t64 | 2.84.4-3~deb13u2 | deb | CVE-2026-1489 | Medium | wont-fix | N/A | A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable. | [] | pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=amd64&distro=debian-13&upstream=glib2.0 |
| libavahi-client3 | 0.8-16 | deb | CVE-2024-52615 | Medium | wont-fix | N/A | A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2024-52615 | Medium | wont-fix | N/A | A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2024-52615 | Medium | wont-fix | N/A | A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libharfbuzz-icu0 | 10.2.0-1+b1 | deb | CVE-2026-22693 | Medium | wont-fix | N/A | HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0. | [] | pkg:deb/debian/libharfbuzz-icu0@10.2.0-1%2Bb1?arch=amd64&distro=debian-13&upstream=harfbuzz%4010.2.0-1 |
| libharfbuzz0b | 10.2.0-1+b1 | deb | CVE-2026-22693 | Medium | wont-fix | N/A | HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0. | [] | pkg:deb/debian/libharfbuzz0b@10.2.0-1%2Bb1?arch=amd64&distro=debian-13&upstream=harfbuzz%4010.2.0-1 |
| libxml2 | 2.12.7+dfsg+really2.9.14-2.1+deb13u2 | deb | CVE-2026-0990 | Medium | wont-fix | N/A | A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. | [] | pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=amd64&distro=debian-13 |
| libglib2.0-0t64 | 2.84.4-3~deb13u2 | deb | CVE-2026-1484 | Medium | wont-fix | N/A | A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably. | [] | pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=amd64&distro=debian-13&upstream=glib2.0 |
| libglib2.0-0t64 | 2.84.4-3~deb13u2 | deb | CVE-2026-0988 | Low | wont-fix | N/A | A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS). | [] | pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=amd64&distro=debian-13&upstream=glib2.0 |
| libxslt1.1 | 1.1.35-1.2+deb13u2 | deb | CVE-2025-11731 | Low | wont-fix | N/A | A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service. | [] | pkg:deb/debian/libxslt1.1@1.1.35-1.2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=libxslt |
| libpython3.13 | 3.13.5-2 | deb | CVE-2025-15282 | Medium | wont-fix | N/A | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13 | 3.13.5-2 | deb | CVE-2026-1299 | Medium | wont-fix | N/A | The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2025-15282 | Medium | wont-fix | N/A | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2026-1299 | Medium | wont-fix | N/A | The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2025-15282 | Medium | wont-fix | N/A | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2026-1299 | Medium | wont-fix | N/A | The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2 | deb | CVE-2025-15282 | Medium | wont-fix | N/A | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13 | 3.13.5-2 | deb | CVE-2026-1299 | Medium | wont-fix | N/A | The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2025-15282 | Medium | wont-fix | N/A | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2026-1299 | Medium | wont-fix | N/A | The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13 | 3.13.5-2 | deb | CVE-2025-12084 | Medium | wont-fix | N/A | When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2025-12084 | Medium | wont-fix | N/A | When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2025-12084 | Medium | wont-fix | N/A | When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2 | deb | CVE-2025-12084 | Medium | wont-fix | N/A | When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2025-12084 | Medium | wont-fix | N/A | When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpng16-16t64 | 1.6.48-1+deb13u1 | deb | CVE-2026-22695 | High | fixed |
|
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54. | [] | pkg:deb/debian/libpng16-16t64@1.6.48-1%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=libpng1.6 |
| libopenjp2-7 | 2.5.3-2.1~deb13u1 | deb | CVE-2023-39327 | Medium | wont-fix | N/A | A flaw was found in OpenJPEG. Maliciously constructed pictures can cause the program to enter a large loop and continuously print warning messages on the terminal. | [] | pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u1?arch=amd64&distro=debian-13&upstream=openjpeg2 |
| libavahi-client3 | 0.8-16 | deb | CVE-2025-68468 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-client3 | 0.8-16 | deb | CVE-2026-24401 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2025-68468 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2026-24401 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2025-68468 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2026-24401 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libpython3.13 | 3.13.5-2 | deb | CVE-2025-12781 | Medium | wont-fix | N/A | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2025-12781 | Medium | wont-fix | N/A | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2025-12781 | Medium | wont-fix | N/A | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2 | deb | CVE-2025-12781 | Medium | wont-fix | N/A | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2025-12781 | Medium | wont-fix | N/A | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libcurl3t64-gnutls | 8.14.1-2+deb13u2 | deb | CVE-2025-14819 | Medium | wont-fix | N/A | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u2 | deb | CVE-2025-14819 | Medium | wont-fix | N/A | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl |
| libgnutls30t64 | 3.8.9-3+deb13u1 | deb | CVE-2025-14831 | Medium | fixed |
|
A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs). | [] | pkg:deb/debian/libgnutls30t64@3.8.9-3%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=gnutls28 |
| libnss3 | 2:3.110-1 | deb | CVE-2026-2781 | Critical | not-fixed | N/A | Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | [] | pkg:deb/debian/libnss3@2%3A3.110-1?arch=amd64&distro=debian-13&upstream=nss |
| libcurl3t64-gnutls | 8.14.1-2+deb13u2 | deb | CVE-2025-14524 | Medium | wont-fix | N/A | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u2 | deb | CVE-2025-14524 | Medium | wont-fix | N/A | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl |
| libavahi-client3 | 0.8-16 | deb | CVE-2025-59529 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2025-59529 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2025-59529 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libpng16-16t64 | 1.6.48-1+deb13u1 | deb | CVE-2026-22801 | High | fixed |
|
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. | [] | pkg:deb/debian/libpng16-16t64@1.6.48-1%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=libpng1.6 |
| libpoppler147 | 25.03.0-5+deb13u2 | deb | CVE-2025-52885 | Medium | wont-fix | N/A | Poppler ia a library for rendering PDF files, and examining or modifying their structure. A use-after-free (write) vulnerability has been detected in versions Poppler prior to 25.10.0 within the StructTreeRoot class. The issue arises from the use of raw pointers to elements of a `std::vector`, which can lead to dangling pointers when the vector is resized. The vulnerability stems from the way that refToParentMap stores references to `std::vector` elements using raw pointers. These pointers may become invalid when the vector is resized. This vulnerability is a common security problem involving the use of raw pointers to `std::vectors`. Internally, `std::vector `stores its elements in a dynamically allocated array. When the array reaches its capacity and a new element is added, the vector reallocates a larger block of memory and moves all the existing elements to the new location. At this point if any pointers to elements are stored before a resize occurs, they become dangling pointers once the reallocation happens. Version 25.10.0 contains a patch for the issue. | [] | pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler |
| libc-bin | 2.41-12+deb13u1 | deb | CVE-2026-0915 | High | wont-fix | N/A | Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver. | [] | pkg:deb/debian/libc-bin@2.41-12%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=glibc |
| libc6 | 2.41-12+deb13u1 | deb | CVE-2026-0915 | High | wont-fix | N/A | Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver. | [] | pkg:deb/debian/libc6@2.41-12%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=glibc |
| libpython3.13 | 3.13.5-2 | deb | CVE-2025-6075 | Medium | wont-fix | N/A | If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2025-6075 | Medium | wont-fix | N/A | If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2025-6075 | Medium | wont-fix | N/A | If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2 | deb | CVE-2025-6075 | Medium | wont-fix | N/A | If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2025-6075 | Medium | wont-fix | N/A | If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13 | 3.13.5-2 | deb | CVE-2025-13837 | Medium | wont-fix | N/A | When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | [] | pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2 | deb | CVE-2025-13837 | Medium | wont-fix | N/A | When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2 | deb | CVE-2025-13837 | Medium | wont-fix | N/A | When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2 | deb | CVE-2025-13837 | Medium | wont-fix | N/A | When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | [] | pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2 | deb | CVE-2025-13837 | Medium | wont-fix | N/A | When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libncursesw6 | 6.5+20250216-2 | deb | CVE-2025-6141 | Medium | wont-fix | N/A | A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. | [] | pkg:deb/debian/libncursesw6@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses |
| libtinfo6 | 6.5+20250216-2 | deb | CVE-2025-6141 | Medium | wont-fix | N/A | A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. | [] | pkg:deb/debian/libtinfo6@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses |
| ncurses-base | 6.5+20250216-2 | deb | CVE-2025-6141 | Medium | wont-fix | N/A | A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. | [] | pkg:deb/debian/ncurses-base@6.5%2B20250216-2?arch=all&distro=debian-13&upstream=ncurses |
| ncurses-bin | 6.5+20250216-2 | deb | CVE-2025-6141 | Medium | wont-fix | N/A | A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. | [] | pkg:deb/debian/ncurses-bin@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses |
| libavahi-client3 | 0.8-16 | deb | CVE-2025-68471 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2025-68471 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2025-68471 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libexpat1 | 2.7.1-2 | deb | CVE-2025-66382 | Medium | wont-fix | N/A | In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| libpoppler147 | 25.03.0-5+deb13u2 | deb | CVE-2025-43718 | Low | wont-fix | N/A | Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor). | [] | pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler |
| libavahi-client3 | 0.8-16 | deb | CVE-2025-68276 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2025-68276 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2025-68276 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libopenjp2-7 | 2.5.3-2.1~deb13u1 | deb | CVE-2023-39328 | Medium | wont-fix | N/A | A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flaw allows an attacker to bypass existing protections and cause an application crash through a maliciously crafted file. | [] | pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u1?arch=amd64&distro=debian-13&upstream=openjpeg2 |
| libxml2 | 2.12.7+dfsg+really2.9.14-2.1+deb13u2 | deb | CVE-2026-0989 | Low | wont-fix | N/A | A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk. | [] | pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=amd64&distro=debian-13 |
| libxml2 | 2.12.7+dfsg+really2.9.14-2.1+deb13u2 | deb | CVE-2026-0992 | Low | wont-fix | N/A | A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition. | [] | pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=amd64&distro=debian-13 |
| libc-bin | 2.41-12+deb13u1 | deb | CVE-2026-0861 | High | wont-fix | N/A | Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments. | [] | pkg:deb/debian/libc-bin@2.41-12%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=glibc |
| libc6 | 2.41-12+deb13u1 | deb | CVE-2026-0861 | High | wont-fix | N/A | Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments. | [] | pkg:deb/debian/libc6@2.41-12%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=glibc |
| libxslt1.1 | 1.1.35-1.2+deb13u2 | deb | CVE-2025-10911 | Medium | wont-fix | N/A | A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash. | [] | pkg:deb/debian/libxslt1.1@1.1.35-1.2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=libxslt |
| libcairo2 | 1.18.4-1+b1 | deb | CVE-2025-50422 | Low | wont-fix | N/A | Cairo through 1.18.4, as used in Poppler through 25.08.0, has an "unscaled->face == NULL" assertion failure for _cairo_ft_unscaled_font_fini in cairo-ft-font.c. | [] | pkg:deb/debian/libcairo2@1.18.4-1%2Bb1?arch=amd64&distro=debian-13&upstream=cairo%401.18.4-1 |
| dirmngr | 2.4.7-21+deb13u1+b1 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/dirmngr@2.4.7-21%2Bdeb13u1%2Bb1?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1 |
| gnupg | 2.4.7-21+deb13u1 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gnupg@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2 |
| gnupg-l10n | 2.4.7-21+deb13u1 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gnupg-l10n@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2 |
| gpg | 2.4.7-21+deb13u1+b1 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gpg@2.4.7-21%2Bdeb13u1%2Bb1?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1 |
| gpg-agent | 2.4.7-21+deb13u1+b1 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gpg-agent@2.4.7-21%2Bdeb13u1%2Bb1?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1 |
| gpgconf | 2.4.7-21+deb13u1+b1 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gpgconf@2.4.7-21%2Bdeb13u1%2Bb1?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1 |
| gpgsm | 2.4.7-21+deb13u1+b1 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gpgsm@2.4.7-21%2Bdeb13u1%2Bb1?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1 |
| libcurl3t64-gnutls | 8.14.1-2+deb13u2 | deb | CVE-2025-13034 | Medium | wont-fix | N/A | When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u2 | deb | CVE-2025-13034 | Medium | wont-fix | N/A | When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl |
| libexpat1 | 2.7.1-2 | deb | CVE-2026-25210 | Medium | wont-fix | N/A | In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| bsdutils | 1:2.41-5 | deb | CVE-2025-14104 | Medium | wont-fix | N/A | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | [] | pkg:deb/debian/bsdutils@1%3A2.41-5?arch=amd64&distro=debian-13&upstream=util-linux%402.41-5 |
| libblkid1 | 2.41-5 | deb | CVE-2025-14104 | Medium | wont-fix | N/A | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | [] | pkg:deb/debian/libblkid1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| liblastlog2-2 | 2.41-5 | deb | CVE-2025-14104 | Medium | wont-fix | N/A | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | [] | pkg:deb/debian/liblastlog2-2@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| libmount1 | 2.41-5 | deb | CVE-2025-14104 | Medium | wont-fix | N/A | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | [] | pkg:deb/debian/libmount1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| libsmartcols1 | 2.41-5 | deb | CVE-2025-14104 | Medium | wont-fix | N/A | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | [] | pkg:deb/debian/libsmartcols1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| libuuid1 | 2.41-5 | deb | CVE-2025-14104 | Medium | wont-fix | N/A | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | [] | pkg:deb/debian/libuuid1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| login | 1:4.16.0-2+really2.41-5 | deb | CVE-2025-14104 | Medium | wont-fix | N/A | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | [] | pkg:deb/debian/login@1%3A4.16.0-2%2Breally2.41-5?arch=amd64&distro=debian-13&upstream=util-linux%402.41-5 |
| mount | 2.41-5 | deb | CVE-2025-14104 | Medium | wont-fix | N/A | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | [] | pkg:deb/debian/mount@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| util-linux | 2.41-5 | deb | CVE-2025-14104 | Medium | wont-fix | N/A | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | [] | pkg:deb/debian/util-linux@2.41-5?arch=amd64&distro=debian-13 |
| zlib1g | 1:1.3.dfsg+really1.3.1-1+b1 | deb | CVE-2026-27171 | Medium | wont-fix | N/A | zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition. | [] | pkg:deb/debian/zlib1g@1%3A1.3.dfsg%2Breally1.3.1-1%2Bb1?arch=amd64&distro=debian-13&upstream=zlib%401%3A1.3.dfsg%2Breally1.3.1-1 |
| libglib2.0-0t64 | 2.84.4-3~deb13u2 | deb | CVE-2026-1485 | Low | wont-fix | N/A | A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability. | [] | pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=amd64&distro=debian-13&upstream=glib2.0 |
| libexpat1 | 2.7.1-2 | deb | CVE-2026-24515 | Low | wont-fix | N/A | In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |