NIXPKGS-2026-1700

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-32739

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 4 days ago
@LeSuisse accepted 3 weeks, 3 days ago
@LeSuisse published on GitHub 3 weeks, 3 days ago

libheif is Vulnerable to Infinite Loop DoS via stts Sample Duration Lookup

https://github.com/strukturag/libheif/security/advisories/GHSA-j9g7-q9hv-gq8c x_refsource_CONFIRM
https://github.com/strukturag/libheif/releases/tag/v1.22.0 x_refsource_MISC

libheif

==< 1.22.0

NIXPKGS-2026-1698

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-32814

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 4 days ago
@LeSuisse accepted 3 weeks, 3 days ago
@LeSuisse published on GitHub 3 weeks, 3 days ago

libheif: Uninitialized Heap Memory Information Leak via Failed Grid Tiles

https://github.com/strukturag/libheif/security/advisories/GHSA-4m8r-34pg-rvwc x_refsource_CONFIRM
https://github.com/strukturag/libheif/releases/tag/v1.22.0 x_refsource_MISC

libheif

==< 1.22.0

NIXPKGS-2026-1697

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-32741

7.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): High (H)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 4 days ago
@LeSuisse accepted 3 weeks, 3 days ago
@LeSuisse published on GitHub 3 weeks, 3 days ago

libheif has a heap buffer overflow in decode_mask_image()

https://github.com/strukturag/libheif/security/advisories/GHSA-j3w5-7whq-p37q x_refsource_CONFIRM
https://github.com/strukturag/libheif/releases/tag/v1.22.0 x_refsource_MISC

libheif

==< 1.22.0

NIXPKGS-2026-1699

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-32740

8.8 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 4 days ago
@LeSuisse accepted 3 weeks, 3 days ago
@LeSuisse published on GitHub 3 weeks, 3 days ago

libheif: Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing

https://github.com/strukturag/libheif/security/advisories/GHSA-frfr-f3vg-2g6j x_refsource_CONFIRM
https://github.com/strukturag/libheif/releases/tag/v1.22.0 x_refsource_MISC

libheif

==< 1.22.0

NIXPKGS-2026-1696

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-32738

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 4 days ago
@LeSuisse accepted 3 weeks, 3 days ago
@LeSuisse published on GitHub 3 weeks, 3 days ago

libheif has a Heap OOB Read/SEGV Crash via Zero samples_per_chunk

https://github.com/strukturag/libheif/security/advisories/GHSA-7f2h-cmpf-v9ww x_refsource_CONFIRMexploit

libheif

==< 1.22.0

NIXPKGS-2026-1695

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-32882

7.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 4 days ago
@LeSuisse accepted 3 weeks, 3 days ago
@LeSuisse published on GitHub 3 weeks, 3 days ago

libheif: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride

https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46 x_refsource_CONFIRM
https://github.com/strukturag/libheif/releases/tag/v1.22.0 x_refsource_MISC

libheif

==< 1.22.0

NIXPKGS-2026-1693

GitHub issue published 3 weeks, 3 days ago

          Permalink
          
            CVE-2026-33633
          
        7.5 HIGH
      
        CVSS version (CVSS): 3.1
      
          Attack Vector (AV): Network (N)
        
          Attack Complexity (AC): High (H)
        
          Privileges Required (PR): None (N)
        
          User Interaction (UI): Required (R)
        
          Scope (S): Unchanged (U)
        
          Confidentiality (C): High (H)
        
          Integrity (I): High (H)
        
          Availability (A): High (H)
        
          Modified Attack Vector (MAV): Network (N)
        
          Modified Attack Complexity (MAC): High (H)
        
          Modified Privileges Required (MPR): None (N)
        
          Modified User Interaction (MUI): Required (R)
        
          Modified Confidentiality (MC): High (H)
        
          Modified Scope (MS): Unchanged (U)
        
          Modified Integrity (MI): High (H)
        
          Modified Availability (MA): High (H)
        
              updated
            
          3 weeks, 3 days ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          3 weeks, 4 days ago
          
          @LeSuisse
          
              ignored
            
                9 packages
                kittysay
kitty-img
kitty-themes
kittycad-kcl-lsp
mailman-hyperkitty
haskellPackages.discokitty
mailmanPackages.hyperkitty
mailmanPackages.mailman-hyperkitty
vimPlugins.nvim-treesitter-parsers.kitty

          3 weeks, 3 days ago
          
          @LeSuisse
          
              accepted
            
          3 weeks, 3 days ago
          
          @LeSuisse
          
              published on GitHub
            
          3 weeks, 3 days ago
          
            Kitty has a Heap Buffer Overflow in its Graphics Protocol Handler
          
      https://github.com/kovidgoyal/kitty/security/advisories/GHSA-j68c-v8x4-269g
    
    x_refsource_CONFIRMexploit
  
      https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e4dbffa509adfb3df3c9780ad34
    
    x_refsource_MISC
  
    kitty

            ==< 0.47.0

NIXPKGS-2026-1694

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2025-57798

5.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 4 days ago
@LeSuisse ignored
2 packages
- joplin-cli
- joplin
3 weeks, 3 days ago
@LeSuisse accepted 3 weeks, 3 days ago
@LeSuisse published on GitHub 3 weeks, 3 days ago

Joplin has Denial of Service (DoS) via Uncontrolled Resource Allocation through Title Input

https://github.com/laurent22/joplin/security/advisories/GHSA-6jm8-gr87-q69x x_refsource_CONFIRM
https://github.com/laurent22/joplin/commit/5b8795da446a5a40c9e212c98b35e368ffce628e x_refsource_MISC

joplin

==< 3.7.1

NIXPKGS-2026-1692

GitHub issue published 3 weeks, 3 days ago

          Permalink
          
            CVE-2026-47107
          
        9.3 CRITICAL
      
        CVSS version (CVSS): 4.0
      
          Attack Vector (AV): Network (N)
        
          Attack Complexity (AC): Low (L)
        
          Attack Requirement (AT): None (N)
        
          Privileges Required (PR): Low (L)
        
          User Interaction (UI): None (N)
        
          Vulnerable System Impact Confidentiality (VC): High (H)
        
          Vulnerable System Impact Integrity (VI): High (H)
        
          Vulnerable System Impact Availability (VA): None (N)
        
          Subsequent System Impact Confidentiality (SC): High (H)
        
          Subsequent System Impact Integrity (SI): High (H)
        
          Subsequent System Impact Availability (SA): None (N)
        
          Modified Attack Vector (MAV): Network (N)
        
          Modified Attack Complexity (MAC): Low (L)
        
          Modified Attack Requirement (MAT): None (N)
        
          Modified Privileges Required (MPR): Low (L)
        
          Modified User Interaction (MUI): None (N)
        
          Modified Vulnerable System Impact Confidentiality (MVC): High (H)
        
          Modified Vulnerable System Impact Integrity (MVI): High (H)
        
          Modified Vulnerable System Impact Availability (MVA): None (N)
        
          Modified Subsequent System Impact Confidentiality (MSC): High (H)
        
          Modified Subsequent System Impact Integrity (MSI): High (H)
        
          Modified Subsequent System Impact Availability (MSA): Negligible (N)
        
          Safety (S): Not Defined (X)
        
          Automatable (AU): Not Defined (X)
        
          Recovery (R): Not Defined (X)
        
          Value Density (V): Not Defined (X)
        
          Vulnerability Response Effort (RE): Not Defined (X)
        
          Provider Urgency (U): Not Defined (X)
        
          Confidentiality Req. (CR): Not Defined (X)
        
          Integrity Req. (IR): Not Defined (X)
        
          Availability Req. (AR): Not Defined (X)
        
          Exploit Maturity (E): Not Defined (X)
        
              updated
            
          3 weeks, 3 days ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          3 weeks, 4 days ago
          
          @LeSuisse
          
              accepted
            
          3 weeks, 3 days ago
          
          @LeSuisse
          
              published on GitHub
            
          3 weeks, 3 days ago
          
            Windmill < 1.703.2 Incorrect Default Permissions in nsjail Configuration
          
      https://github.com/windmill-labs/windmill/releases/tag/v1.703.2
    
    release-notes
  
      https://github.com/windmill-labs/windmill/pull/9194
    
    issue-trackingexploit
  
      https://github.com/windmill-labs/windmill/commit/f8467f38c8a053117ce62f96684cfb…
    
    patch
  
      https://www.vulncheck.com/advisories/windmill-incorrect-default-permissions-in-…
    
    windmill

            ==f8467f38c8a053117ce62f96684cfb15ef792f08
          
            <1.703.2

NIXPKGS-2026-1691

GitHub issue published 3 weeks, 3 days ago

          Permalink
          
            CVE-2026-33642
          
        9.9 CRITICAL
      
        CVSS version (CVSS): 3.1
      
          Attack Vector (AV): Network (N)
        
          Attack Complexity (AC): Low (L)
        
          Privileges Required (PR): None (N)
        
          User Interaction (UI): None (N)
        
          Scope (S): Changed (C)
        
          Confidentiality (C): Low (L)
        
          Integrity (I): Low (L)
        
          Availability (A): High (H)
        
          Modified Attack Vector (MAV): Network (N)
        
          Modified Attack Complexity (MAC): Low (L)
        
          Modified Privileges Required (MPR): None (N)
        
          Modified User Interaction (MUI): None (N)
        
          Modified Confidentiality (MC): Low (L)
        
          Modified Scope (MS): Changed (C)
        
          Modified Integrity (MI): Low (L)
        
          Modified Availability (MA): High (H)
        
              updated
            
          3 weeks, 3 days ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          3 weeks, 4 days ago
          
          @LeSuisse
          
              ignored
            
                9 packages
                kittysay
kitty-img
kitty-themes
kittycad-kcl-lsp
mailman-hyperkitty
haskellPackages.discokitty
mailmanPackages.hyperkitty
mailmanPackages.mailman-hyperkitty
vimPlugins.nvim-treesitter-parsers.kitty

          3 weeks, 3 days ago
          
          @LeSuisse
          
              accepted
            
          3 weeks, 3 days ago
          
          @LeSuisse
          
              published on GitHub
            
          3 weeks, 3 days ago
          
            Kitty has a Heap Buffer Over-Read/Write via Integer Overflow in compose_rectangles Bounds Check
          
      https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x
    
    x_refsource_CONFIRMexploit
  
      https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e4dbffa509adfb3df3c9780ad34
    
    x_refsource_MISC
  
    kitty

            ==< 0.47.0

Nixpkgs security tracker

Published issues

libheif is Vulnerable to Infinite Loop DoS via stts Sample Duration Lookup

libheif: Uninitialized Heap Memory Information Leak via Failed Grid Tiles

libheif has a heap buffer overflow in decode_mask_image()

libheif: Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing

libheif has a Heap OOB Read/SEGV Crash via Zero samples_per_chunk

libheif: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride

Kitty has a Heap Buffer Overflow in its Graphics Protocol Handler

Joplin has Denial of Service (DoS) via Uncontrolled Resource Allocation through Title Input

Windmill < 1.703.2 Incorrect Default Permissions in nsjail Configuration

Kitty has a Heap Buffer Over-Read/Write via Integer Overflow in compose_rectangles Bounds Check