Nixpkgs Security Tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0667
published on 16 Mar 2026
Permalink CVE-2026-3085
updated 5 days, 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse removed
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    5 days, 11 hours ago
  • @LeSuisse accepted 5 days, 11 hours ago
  • @LeSuisse published on GitHub 5 days, 10 hours ago
GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability

GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28851.

References

Affected products

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612

Matching in nixpkgs

Ignored packages (8)

Package maintainers

OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0659
published on 16 Mar 2026
Permalink CVE-2026-32772
updated 5 days, 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse accepted 5 days, 10 hours ago
  • @LeSuisse published on GitHub 5 days, 10 hours ago
telnet in GNU inetutils through 2.7 allows servers to read …

telnet in GNU inetutils through 2.7 allows servers to read arbitrary environment variables from clients via NEW_ENVIRON SEND USERVAR.

References

Affected products

inetutils
  • =<2.7

Matching in nixpkgs

Package maintainers

Upstream discussion: https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00038.html
OSS Sec thread: https://www.openwall.com/lists/oss-security/2026/03/13/1
NIXPKGS-2026-0669
published on 16 Mar 2026
Permalink CVE-2026-3086
updated 5 days, 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse removed
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    5 days, 11 hours ago
  • @LeSuisse accepted 5 days, 11 hours ago
  • @LeSuisse published on GitHub 5 days, 10 hours ago
GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability

GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of APS units. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28911.

References

Affected products

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612

Matching in nixpkgs

Ignored packages (8)

Package maintainers

OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0663
published on 16 Mar 2026
Permalink CVE-2026-3083
updated 5 days, 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse removed
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    5 days, 11 hours ago
  • @LeSuisse accepted 5 days, 11 hours ago
  • @LeSuisse published on GitHub 5 days, 10 hours ago
GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability

GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850.

References

Affected products

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612

Matching in nixpkgs

Ignored packages (8)

Package maintainers

OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0670
published on 16 Mar 2026
Permalink CVE-2026-2920
updated 5 days, 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse removed
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    5 days, 11 hours ago
  • @LeSuisse accepted 5 days, 11 hours ago
  • @LeSuisse published on GitHub 5 days, 10 hours ago
GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability

GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843.

References

Affected products

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612

Matching in nixpkgs

Ignored packages (8)

Package maintainers

OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0673
published on 16 Mar 2026
Permalink CVE-2026-4174
updated 5 days, 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 5 days, 18 hours ago
  • @LeSuisse accepted 5 days, 12 hours ago
  • @LeSuisse published on GitHub 5 days, 10 hours ago
Radare2 Mach-O File mach0.c walk_exports_trie resource consumption

A vulnerability has been found in Radare2 5.9.9. This issue affects the function walk_exports_trie of the file libr/bin/format/mach0/mach0.c of the component Mach-O File Parser. Such manipulation leads to resource consumption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. Upgrading to version 6.1.2 is capable of addressing this issue. The name of the patch is 4371ae84c99c46b48cb21badbbef06b30757aba0. You should upgrade the affected component. The code maintainer states that, "[he] wont consider this bug a DoS".

References

Affected products

Radare2
  • ==5.9.9
  • ==6.1.2

Matching in nixpkgs

Package maintainers

Upstream issue: https://github.com/radareorg/radare2/issues/25482
Upstream patch: https://github.com/radareorg/radare2/commit/4371ae84c99c46b48cb21badbbef06b30757aba0

Upstream disputes the security issue: https://github.com/radareorg/radare2/issues/25482#issuecomment-3989318217
NIXPKGS-2026-0661
published on 16 Mar 2026
Permalink CVE-2026-3081
updated 5 days, 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse removed
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    5 days, 11 hours ago
  • @LeSuisse accepted 5 days, 11 hours ago
  • @LeSuisse published on GitHub 5 days, 10 hours ago
GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability

GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of decoding units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28839.

References

Affected products

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612

Matching in nixpkgs

Ignored packages (8)

Package maintainers

OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0666
published on 16 Mar 2026
Permalink CVE-2026-2923
updated 5 days, 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse removed
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    5 days, 11 hours ago
  • @LeSuisse accepted 5 days, 11 hours ago
  • @LeSuisse published on GitHub 5 days, 10 hours ago
GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability

GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of coordinates. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28838.

References

Affected products

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612

Matching in nixpkgs

Ignored packages (8)

Package maintainers

OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0674
published on 16 Mar 2026
Permalink CVE-2026-4111
updated 5 days, 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse removed
    28 packages
    • libarchive-qt
    • haskellPackages.libarchive
    • kodiPackages.vfs-libarchive
    • perlPackages.ArchiveLibarchive
    • python312Packages.libarchive-c
    • python313Packages.libarchive-c
    • python314Packages.libarchive-c
    • haskellPackages.libarchive-clib
    • perl5Packages.ArchiveLibarchive
    • perl538Packages.ArchiveLibarchive
    • perl540Packages.ArchiveLibarchive
    • haskellPackages.archive-libarchive
    • haskellPackages.libarchive-conduit
    • perlPackages.ArchiveLibarchivePeek
    • perlPackages.TestArchiveLibarchive
    • perl5Packages.ArchiveLibarchivePeek
    • perl5Packages.TestArchiveLibarchive
    • perl538Packages.ArchiveLibarchivePeek
    • perl538Packages.TestArchiveLibarchive
    • perl540Packages.ArchiveLibarchivePeek
    • perl540Packages.TestArchiveLibarchive
    • perlPackages.ArchiveLibarchiveExtract
    • perl5Packages.ArchiveLibarchiveExtract
    • perl538Packages.ArchiveLibarchiveExtract
    • perl540Packages.ArchiveLibarchiveExtract
    • python312Packages.extractcode-libarchive
    • python313Packages.extractcode-libarchive
    • python314Packages.extractcode-libarchive
    5 days, 12 hours ago
  • @LeSuisse accepted 5 days, 12 hours ago
  • @LeSuisse published on GitHub 5 days, 10 hours ago
Libarchive: infinite loop denial of service in rar5 decompression via archive_read_data() in libarchive

A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

References

Affected products

rhcos
libarchive

Matching in nixpkgs

Ignored packages (28)

Package maintainers

Upstream patch: https://github.com/libarchive/libarchive/commit/7273d04803a1e5a482f26d8d0fbaf2b204a72168
NIXPKGS-2026-0662
published on 16 Mar 2026
Permalink CVE-2026-3082
updated 5 days, 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse removed
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    5 days, 11 hours ago
  • @LeSuisse accepted 5 days, 11 hours ago
  • @LeSuisse published on GitHub 5 days, 10 hours ago
GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability

GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of Huffman tables. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28840.

References

Affected products

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612

Matching in nixpkgs

Ignored packages (8)

Package maintainers

OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2