CVE-2026-42015
A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker
CVSS
5.3
Medio
EPSS
0.7%
p50
KEV
—
Exploit Today
15
0-100
Publicado: 26 may 2026 · Última mod.: 15 jul 2026 · CWE-193
0.7%EPSS · 30 días0.7%
2026-06-302026-07-16
A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13274
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20611
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20612
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20613
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26319
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26409
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:29197
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:30004
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:30849
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:30850
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:32962
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33125
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-42015
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2467678
- www.gnutls.orghttps://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-11
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-504976.5 MED55.2%
——17Off-by-one error in Windows Remote Desktop Protocol allows an unauthorized attacker to disclose information over a network.14hCVE-2026-124137.5 ALT44.6%
——13An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected.8dCVE-2006-100039.8 CRÍ42.2%
——13XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack.
In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer.
The bug can be observed when parsing an XML file with very deep element nesting2dCVE-2026-78317.6 ALT41.0%
——12UltraVNC viewer through 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message handler. In vncviewer/ClientConnection.cpp, when the server-supplied nameLength equals exactly 2024 the code declares a 2024-byte stack buffer _dn[2024] and calls ReadString(_dn, 2024). ReadString writes the NUL terminator at buf[length], i.e., _dn[2024], one byte past the end of the stack buffer. A malicious VNC server can trigger this condition by advertising a desktop name of length 2024 in its ServerInit message. On release builds without stack canaries the single-byte NUL overwrite adjacent stack data. On builds with /GS stack protection the canary is corrupted and the process terminates, resulting in denial of service. User interaction (connecting the viewer to the malicious server) is required.8dCVE-2026-491278.6 ALT40.1%
——12Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.2dCVE-2026-439643.7 BAJ33.7%
——10Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.2d