MontaVista CVE List and Response
MontaVista continually monitors the security community and customers for threats. We follow the community on CVE scoring (NVD) and set fix priority accordingly for affected products. Please view the following CVEs that have been remediated or are in process by clicking the CVE Year to the left or use the CVE Filters below.
For inquiries regarding Security Vulnerabilities, please see our Vulnerability Response Policy or email our PSIRT team security@mvista.com. Email messages and attachments can be encrypted using PGP and a MontaVista PSIRT PGP key, which is available for download here.
| CVE | Score | Severity | Package | Description | Published |
|---|---|---|---|---|---|
| CVE-2026-0966 |
6.5 (i)
| MEDIUM | libssh | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. | 2026-03-19 |
| CVE-2026-32778 |
5.5 (i)
| MEDIUM | libexpat | libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition. | 2026-03-16 |
| CVE-2026-4111 |
7.5 (i)
| HIGH | libarchive | A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. | 2026-03-13 |
| CVE-2026-4105 |
6.7 (i)
| MEDIUM | systemd | A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system. | 2026-03-13 |
| CVE-2026-32746 |
9.8 (i)
| CRITICAL | inetutils | telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full. | 2026-03-13 |
| CVE-2026-32597 |
7.5 (i)
| HIGH | pyjwt | PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0. | 2026-03-13 |
| CVE-2026-2673 |
6.5 (i)
| MEDIUM | openssl | Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expectedpreferred key exchange group when its key exchange group configuration includesthe default by using the 'DEFAULT' keyword.Impact summary: A less preferred key exchange may be used even when a morepreferred group is supported by both client and server, if the groupwas not included among the client's initial predicated keyshares.This will sometimes be the case with the new hybrid post-quantum groups,if the client chooses to defer their use until specifically requested bythe server.If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword tointerpolate the built-in default group list into its own configuration, perhapsadding or removing specific elements, then an implementation defect causes the'DEFAULT' list to lose its 'tuple' structure, and all server-supported groupswere treated as a single sufficiently secure 'tuple', with the server notsending a Hello Retry Request (HRR) even when a group in a more preferred tuplewas mutually supported.As a result, the client and server might fail to negotiate a mutually supportedpost-quantum key agreement group, such as 'X25519MLKEM768', if the client'sconfiguration results in only 'classical' groups (such as 'X25519' being theonly ones in the client's initial keyshare prediction).OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS1.3 key agreement group on TLS servers. The old syntax had a single 'flat'list of groups, and treated all the supported groups as sufficiently secure.If any of the keyshares predicted by the client were supported by the serverthe most preferred among these was selected, even if other groups supported bythe client, but not included in the list of predicted keyshares would have beenmore preferred, if included.The new syntax partitions the groups into distinct 'tuples' of roughlyequivalent security. Within each tuple the most preferred group included amongthe client's predicted keyshares is chosen, but if the client supports a groupfrom a more preferred tuple, but did not predict any corresponding keyshares,the server will ask the client to retry the ClientHello (by issuing a HelloRetry Request or HRR) with the most preferred mutually supported group.The above works as expected when the server's configuration uses the built-indefault group list, or explicitly defines its own list by directly defining thevarious desired groups and group 'tuples'.No OpenSSL FIPS modules are affected by this issue, the code in question liesoutside the FIPS boundary.OpenSSL 3.6 and 3.5 are vulnerable to this issue.OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue. | 2026-03-13 |
| CVE-2026-32249 |
5.3 (i)
| MEDIUM | vim | Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137. | 2026-03-12 |
| CVE-2026-3497 |
6.5 (i)
| MEDIUM | openssh | Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration. | 2026-03-12 |
| CVE-2025-70873 |
4.3 (i)
| MEDIUM | sqlite | An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file. | 2026-03-12 |