CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0CVE-2026-28369 – Undertow: undertow: request smuggling via malformed http request headers
https://notcve.org/view.php?id=CVE-2026-28369
27 Mar 2026 — A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure. • https://access.redhat.com/security/cve/CVE-2026-28369 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0CVE-2026-28368 – Undertow: undertow: request smuggling via inconsistent header parsing
https://notcve.org/view.php?id=CVE-2026-28368
27 Mar 2026 — A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources. • https://access.redhat.com/security/cve/CVE-2026-28368 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2026-0965 – Libssh: libssh: denial of service via improper configuration file handling
https://notcve.org/view.php?id=CVE-2026-0965
26 Mar 2026 — A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations. Se encontró una falla en libssh donde puede intentar abrir archivos arbitrarios durante el anális... • https://access.redhat.com/security/cve/CVE-2026-0965 • CWE-73: External Control of File Name or Path •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-0967 – Libssh: libssh: denial of service via inefficient regular expression processing
https://notcve.org/view.php?id=CVE-2026-0967
26 Mar 2026 — A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client. Se encontró una vulnerabilidad en libssh. Un atacante remoto, al controlar los archivos de configuración del cliente o los archivos known_hosts, podría cre... • https://access.redhat.com/security/cve/CVE-2026-0967 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-4647 – Binutils: out-of-bounds read in xcoff relocation processing in gnu binutils bfd library
https://notcve.org/view.php?id=CVE-2026-4647
23 Mar 2026 — A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks. Se encontró ... • https://access.redhat.com/security/cve/CVE-2026-4647 • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 1%CPEs: 10EXPL: 0CVE-2025-9784 – Undertow: undertow madeyoureset http/2 ddos vulnerability
https://notcve.org/view.php?id=CVE-2025-9784
02 Sep 2025 — A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS). Red Hat build of Apache Camel 4.14.2 for Spring Boot patch release and security u... • https://access.redhat.com/security/cve/CVE-2025-9784 • CWE-404: Improper Resource Shutdown or Release CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-6505 – Qemu-kvm: virtio-net: queue index out-of-bounds access in software rss
https://notcve.org/view.php?id=CVE-2024-6505
05 Jul 2024 — A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host. Se encontró un fallo en el dispositivo virtio-net en QEMU. • https://access.redhat.com/security/cve/CVE-2024-6505 • CWE-125: Out-of-bounds Read •
CVSS: 8.1EPSS: 42%CPEs: 54EXPL: 109CVE-2024-6387 – Openssh: regresshion - race condition in ssh allows rce/dos
https://notcve.org/view.php?id=CVE-2024-6387
01 Jul 2024 — A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. Se encontró una condición de ejecución del controlador de señales en el servidor de OpenSSH (sshd), donde un cliente no se autentica dentro de los segundos de LoginGraceTime (120 de forma predeterminada, 600 en versiones anter... • https://packetstorm.news/files/id/179290 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-364: Signal Handler Race Condition •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-6239 – Poppler: pdfinfo: crash in broken documents when using -dests parameter
https://notcve.org/view.php?id=CVE-2024-6239
21 Jun 2024 — A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service. Se encontró una falla en la utilidad Pdfinfo de Poppler. Este problema ocurre cuando se usa el parámetro -dests con la utilidad pdfinfo. • https://access.redhat.com/security/cve/CVE-2024-6239 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 1%CPEs: 21EXPL: 1CVE-2024-3049 – Booth: specially crafted hash can lead to invalid hmac being accepted by booth server
https://notcve.org/view.php?id=CVE-2024-3049
06 Jun 2024 — A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcry_md_get_algo_dlen(), it may allow an invalid HMAC to be accepted by the Booth server. Se encontró una falla en Booth, un administrador de tickets de clúster. Si se pasa un hash especialmente manipulado a gcry_md_get_algo_dlen(), es posible que el servidor Booth acepte un HMAC no válido. An update for booth is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterp... • https://github.com/truonghuuphuc/CVE-2024-30491-Poc • CWE-345: Insufficient Verification of Data Authenticity •