Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0223
Vulnerability from certfr_avis - Published: 2026-02-27 - Updated: 2026-02-27
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | CBL Mariner | cbl2 libtiff 4.6.0-11 versions antérieures à 4.6.0-12 | ||
| Microsoft | Azure Linux | azl3 cloud-hypervisor 48.0.246-1 versions antérieures à 48.0.246-2 | ||
| Microsoft | Azure Linux | azl3 valkey 8.0.6-1 versions antérieures à 8.0.7-1 | ||
| Microsoft | Azure Linux | azl3 libtiff 4.6.0-11 versions antérieures à 4.6.0-12 | ||
| Microsoft | Azure Linux | azl3 erlang 26.2.5.15-1 versions antérieures à 26.2.5.17-1 |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "cbl2 libtiff 4.6.0-11 versions ant\u00e9rieures \u00e0 4.6.0-12",
"product": {
"name": "CBL Mariner",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 cloud-hypervisor 48.0.246-1 versions ant\u00e9rieures \u00e0 48.0.246-2",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 valkey 8.0.6-1 versions ant\u00e9rieures \u00e0 8.0.7-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 libtiff 4.6.0-11 versions ant\u00e9rieures \u00e0 4.6.0-12",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 erlang 26.2.5.15-1 versions ant\u00e9rieures \u00e0 26.2.5.17-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-21863",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21863"
},
{
"name": "CVE-2025-61144",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61144"
},
{
"name": "CVE-2026-21620",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21620"
},
{
"name": "CVE-2025-61143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61143"
},
{
"name": "CVE-2025-67733",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67733"
},
{
"name": "CVE-2026-27211",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27211"
}
],
"initial_release_date": "2026-02-27T00:00:00",
"last_revision_date": "2026-02-27T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0223",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-27T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2026-02-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-61143",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61143"
},
{
"published_at": "2026-02-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-21620",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21620"
},
{
"published_at": "2026-02-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-21863",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21863"
},
{
"published_at": "2026-02-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-67733",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-67733"
},
{
"published_at": "2026-02-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-61144",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61144"
},
{
"published_at": "2026-02-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-27211",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27211"
}
]
}
CVE-2025-61143 (GCVE-0-2025-61143)
Vulnerability from cvelistv5 – Published: 2026-02-23 00:00 – Updated: 2026-02-25 14:24
VLAI
EPSS
Summary
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-476 - NULL Pointer Dereference
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T14:23:47.753296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T14:24:54.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T17:55:13.933Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gitlab.com/libtiff/libtiff/-/issues/737"
},
{
"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/755"
},
{
"url": "https://gist.github.com/optionGo/9c024cd8e7b131463b84dc60af9bb0aa"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61143",
"datePublished": "2026-02-23T00:00:00.000Z",
"dateReserved": "2025-09-26T00:00:00.000Z",
"dateUpdated": "2026-02-25T14:24:54.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61144 (GCVE-0-2025-61144)
Vulnerability from cvelistv5 – Published: 2026-02-23 00:00 – Updated: 2026-02-25 14:27
VLAI
EPSS
Summary
libtiff up to v4.7.1 was discovered to contain a stack overflow via the readSeparateStripsIntoBuffer function.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T14:26:52.367396Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T14:27:56.707Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libtiff up to v4.7.1 was discovered to contain a stack overflow via the readSeparateStripsIntoBuffer function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:00:14.230Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gitlab.com/libtiff/libtiff/-/issues/740"
},
{
"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/757"
},
{
"url": "https://gitlab.com/libtiff/libtiff/-/commit/88cf9dbb48f6e172629795ecffae35d5052f68aa"
},
{
"url": "https://gitlab.com/libtiff/libtiff/-/commit/09f53a86cf26dfd961925227e59e180db617f26d"
},
{
"url": "https://gist.github.com/optionGo/5ad17e96a0a40f03578dd6c9f8645952"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61144",
"datePublished": "2026-02-23T00:00:00.000Z",
"dateReserved": "2025-09-26T00:00:00.000Z",
"dateUpdated": "2026-02-25T14:27:56.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67733 (GCVE-0-2025-67733)
Vulnerability from cvelistv5 – Published: 2026-02-23 19:39 – Updated: 2026-06-30 12:07
VLAI
EPSS
Title
Valkey Affected by RESP Protocol Injection via Lua error_reply
Summary
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
Severity
8.5 (High)
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/valkey-io/valkey/security/advi… | x_refsource_CONFIRM |
| https://access.redhat.com/security/cve/CVE-2025-67733 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2442025 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:5445 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:3443 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:3507 | vendor-advisoryx_refsource_REDHAT |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| valkey-io | valkey |
Affected:
< 7.2.12
Affected: >= 8.0.0, < 8.0.7 Affected: >= 8.1.0, < 8.1.6 Affected: >= 9.0.0, < 9.0.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.1 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T14:56:42.607743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T14:57:21.038Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
}
],
"datePublic": "2026-02-23T19:39:29.136Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Valkey, a distributed key-value database. A malicious user can exploit this vulnerability by using scripting commands to inject arbitrary information into the response stream. This is caused by improper handling of null characters in the error handling code for Lua scripts. Successful exploitation could lead to corrupting or returning tampered data to other users on the same connection, impacting data integrity and availability."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-170",
"description": "Improper Null Termination",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:07:15.537Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-67733"
},
{
"name": "RHBZ#2442025",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442025"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-67733.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:5445"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3443"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3507"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:5445: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:3443: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:3507: Red Hat Enterprise Linux AppStream (v. 9)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T21:03:05.837Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-23T19:39:29.136Z",
"value": "Made public."
}
],
"title": "Valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "valkey",
"vendor": "valkey-io",
"versions": [
{
"status": "affected",
"version": "\u003c 7.2.12"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.7"
},
{
"status": "affected",
"version": "\u003e= 8.1.0, \u003c 8.1.6"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T19:39:29.136Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/valkey-io/valkey/security/advisories/GHSA-p876-p7q5-hv2m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/valkey-io/valkey/security/advisories/GHSA-p876-p7q5-hv2m"
}
],
"source": {
"advisory": "GHSA-p876-p7q5-hv2m",
"discovery": "UNKNOWN"
},
"title": "Valkey Affected by RESP Protocol Injection via Lua error_reply"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67733",
"datePublished": "2026-02-23T19:39:29.136Z",
"dateReserved": "2025-12-11T00:45:45.790Z",
"dateUpdated": "2026-06-30T12:07:15.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21620 (GCVE-0-2026-21620)
Vulnerability from cvelistv5 – Published: 2026-02-20 10:57 – Updated: 2026-05-27 15:40
VLAI
EPSS
Title
TFTP Path Traversal
Summary
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl.
This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-21620.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-21620 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/pull/10706 | patch |
| https://github.com/erlang/otp/commit/696fdec92266… | patch |
| https://github.com/erlang/otp/commit/3970738f6873… | patch |
| https://github.com/erlang/otp/commit/655fb95725ba… | patch |
Impacted products
Credits
Luigino Camastra / Aisle Research
Jakub Witczak
Raimo Niskanen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21620",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T13:36:03.423294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T13:36:39.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"tftp_file"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/tftp/src/tftp_file.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "26.2.5.17",
"status": "unaffected"
},
{
"at": "27.3.4.8",
"status": "unaffected"
},
{
"at": "28.3.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "655fb95725ba2fb811740b57e106873833824344",
"status": "unaffected"
},
{
"at": "3970738f687325138eb75f798054fa8960ac354e",
"status": "unaffected"
},
{
"at": "696fdec922661d4a3cc528fc34bc24fae8d4ad8a",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"tftp_file"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/tftp_file.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"lessThan": "7.0",
"status": "affected",
"version": "5.10",
"versionType": "otp"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"tftp_file"
],
"packageName": "tftp",
"packageURL": "pkg:otp/tftp?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/tftp_file.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "1.1.1.1",
"status": "unaffected"
},
{
"at": "1.2.2.1",
"status": "unaffected"
},
{
"at": "1.2.4",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0",
"versionType": "otp"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A TFTP server must be started and the TFTP port must be reachable by the attacker, using the \u003ctt\u003etftp\u003c/tt\u003e application (or the legacy \u003ctt\u003einets\u003c/tt\u003e TFTP service) with the \u003ctt\u003etftp_file\u003c/tt\u003e callback module configured with the \u003ctt\u003e{root_dir, Dir}\u003c/tt\u003e option."
}
],
"value": "A TFTP server must be started and the TFTP port must be reachable by the attacker, using the tftp application (or the legacy inets TFTP service) with the tftp_file callback module configured with the {root_dir, Dir} option."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.8",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.3.2",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luigino Camastra / Aisle Research"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Raimo Niskanen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/tftp/src/tftp_file.erl\u003c/tt\u003e, \u003ctt\u003esrc/tftp_file.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.\u003c/p\u003e"
}
],
"value": "Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl.\n\nThis issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:40:46.090Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-hmrc-prh3-rpvp"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-21620.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-21620"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/pull/10706"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/696fdec922661d4a3cc528fc34bc24fae8d4ad8a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/3970738f687325138eb75f798054fa8960ac354e"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/655fb95725ba2fb811740b57e106873833824344"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "TFTP Path Traversal",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-21620",
"datePublished": "2026-02-20T10:57:08.620Z",
"dateReserved": "2026-01-01T03:46:45.934Z",
"dateUpdated": "2026-05-27T15:40:46.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21863 (GCVE-0-2026-21863)
Vulnerability from cvelistv5 – Published: 2026-02-23 19:41 – Updated: 2026-06-30 12:06
VLAI
EPSS
Title
Malformed Valkey Cluster bus message can lead to Remote DoS
Summary
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/valkey-io/valkey/security/advi… | x_refsource_CONFIRM |
| https://access.redhat.com/security/cve/CVE-2026-21863 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2442026 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:5445 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:3443 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:3507 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:8753 | vendor-advisoryx_refsource_REDHAT |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| valkey-io | valkey |
Affected:
< 7.2.12
Affected: >= 8.0.0, < 8.0.7 Affected: >= 8.1.0, < 8.1.6 Affected: >= 9.0.0, < 9.0.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.1 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T14:58:12.583553Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T14:58:41.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
}
],
"datePublic": "2026-02-23T19:41:28.783Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Valkey, a distributed key-value database. A malicious actor with access to the Valkey clusterbus port can exploit an input validation vulnerability by sending a specially crafted invalid clusterbus packet. This lack of validation for clusterbus ping extension packets can lead to an out-of-bounds read. Consequently, this may cause the system to crash, resulting in a Denial of Service (DoS)."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:06:48.673Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-21863"
},
{
"name": "RHBZ#2442026",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442026"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21863.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:5445"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3443"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3507"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8753"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:5445: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:3443: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:3507: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:8753: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T21:03:12.281Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-23T19:41:28.783Z",
"value": "Made public."
}
],
"title": "valkey: Valkey: Denial of Service via invalid clusterbus packet",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, restrict network access to the Valkey cluster bus port. Configure network access control lists (ACLs) or firewall rules to ensure that only trusted hosts can connect to the cluster bus port. This limits the attack surface by preventing unauthorized actors from sending malicious clusterbus packets."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "valkey",
"vendor": "valkey-io",
"versions": [
{
"status": "affected",
"version": "\u003c 7.2.12"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.7"
},
{
"status": "affected",
"version": "\u003e= 8.1.0, \u003c 8.1.6"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don\u0027t expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T19:41:28.783Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq"
}
],
"source": {
"advisory": "GHSA-c677-q3wr-gggq",
"discovery": "UNKNOWN"
},
"title": "Malformed Valkey Cluster bus message can lead to Remote DoS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21863",
"datePublished": "2026-02-23T19:41:28.783Z",
"dateReserved": "2026-01-05T16:44:16.367Z",
"dateUpdated": "2026-06-30T12:06:48.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27211 (GCVE-0-2026-27211)
Vulnerability from cvelistv5 – Published: 2026-02-21 05:36 – Updated: 2026-02-25 21:17
VLAI
EPSS
Title
Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse
Summary
Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file's contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/cloud-hypervisor/cloud-hypervi… | x_refsource_CONFIRM |
| https://github.com/cloud-hypervisor/cloud-hypervi… | x_refsource_MISC |
| https://github.com/cloud-hypervisor/cloud-hypervi… | x_refsource_MISC |
| https://github.com/cloud-hypervisor/cloud-hypervi… | x_refsource_MISC |
| https://github.com/cloud-hypervisor/cloud-hypervi… | x_refsource_MISC |
| https://github.com/cloud-hypervisor/cloud-hypervi… | x_refsource_MISC |
| https://github.com/cloud-hypervisor/cloud-hypervi… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cloud-hypervisor | cloud-hypervisor |
Affected:
>= 34.0, < 50.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T21:17:31.615787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T21:17:44.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cloud-hypervisor",
"vendor": "cloud-hypervisor",
"versions": [
{
"status": "affected",
"version": "\u003e= 34.0, \u003c 50.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path. Upon the next VM boot or disk scan, the image format auto-detection parses this header and serves the host file\u0027s contents to the guest. Guest-initiated VM reboots are sufficient to trigger a disk scan and do not cause the Cloud Hypervisor process to exit. Therefore, a single VM can perform this attack without needing interaction from the management stack. Successful exploitation requires the backing image to be either writable by the guest or sourced from an untrusted origin. Deployments utilizing only trusted, read-only images are not affected. This issue has been fixed in version 50.1. To workaround, enable land lock sandboxing and restrict process privileges and access."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T05:36:33.169Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cloud-hypervisor/cloud-hypervisor/security/advisories/GHSA-jmr4-g2hv-mjj6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cloud-hypervisor/cloud-hypervisor/security/advisories/GHSA-jmr4-g2hv-mjj6"
},
{
"name": "https://github.com/cloud-hypervisor/cloud-hypervisor/commit/081a6ebb5184228ff348601502258f3f72bd8b43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloud-hypervisor/cloud-hypervisor/commit/081a6ebb5184228ff348601502258f3f72bd8b43"
},
{
"name": "https://github.com/cloud-hypervisor/cloud-hypervisor/commit/509832298b6865365b00bda88722e76e41ce7f41",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloud-hypervisor/cloud-hypervisor/commit/509832298b6865365b00bda88722e76e41ce7f41"
},
{
"name": "https://github.com/cloud-hypervisor/cloud-hypervisor/commit/a63315df54e06f6ec867f17b63076c266e2d8648",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloud-hypervisor/cloud-hypervisor/commit/a63315df54e06f6ec867f17b63076c266e2d8648"
},
{
"name": "https://github.com/cloud-hypervisor/cloud-hypervisor/commit/cb495959a8bea1b56e8fc82d15ba527a0e7fcf3c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloud-hypervisor/cloud-hypervisor/commit/cb495959a8bea1b56e8fc82d15ba527a0e7fcf3c"
},
{
"name": "https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v50.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v50.1"
},
{
"name": "https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v51.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v51.0"
}
],
"source": {
"advisory": "GHSA-jmr4-g2hv-mjj6",
"discovery": "UNKNOWN"
},
"title": "Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27211",
"datePublished": "2026-02-21T05:36:33.169Z",
"dateReserved": "2026-02-18T19:47:02.156Z",
"dateUpdated": "2026-02-25T21:17:44.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…