MontaVista CVE List and Response
MontaVista continually monitors the security community and customers for threats. We follow the community on CVE scoring (NVD) and set fix priority accordingly for affected products. Please view the following CVEs that have been remediated or are in process by clicking the CVE Year to the left or use the CVE Filters below.
For inquiries regarding Security Vulnerabilities, please see our Vulnerability Response Policy or email our PSIRT team security@mvista.com. Email messages and attachments can be encrypted using PGP and a MontaVista PSIRT PGP key, which is available for download here.
| CVE | Score | Severity | Package | Description | Published |
|---|---|---|---|---|---|
| CVE-2026-31790 |
5.6 (i)
| MEDIUM | openssl | Issue summary: Applications using RSASVE key encapsulation to establisha secret encryption key can send contents of an uninitialized memory buffer toa malicious peer.Impact summary: The uninitialized buffer might contain sensitive data from theprevious execution of the application process which leads to sensitive dataleakage to an attacker.RSA_public_encrypt() returns the number of bytes written on success and -1on error. The affected code tests only whether the return value is non-zero.As a result, if RSA encryption fails, encapsulation can still return success tothe caller, set the output lengths, and leave the caller to use the contents ofthe ciphertext buffer as if a valid KEM ciphertext had been produced.If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on anattacker-supplied invalid RSA public key without first validating that key,then this may cause stale or uninitialized contents of the caller-providedciphertext buffer to be disclosed to the attacker in place of the KEMciphertext.As a workaround calling EVP_PKEY_public_check() orEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigatethe issue.The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue. | 2026-04-07 |
| CVE-2026-28390 |
5.9 (i)
| MEDIUM | openssl | Issue summary: During processing of a crafted CMS EnvelopedData messagewith KeyTransportRecipientInfo a NULL pointer dereference can happen.Impact summary: Applications that process attacker-controlled CMS data maycrash before authentication or cryptographic operations occur resulting inDenial of Service.When a CMS EnvelopedData message that uses KeyTransportRecipientInfo withRSA-OAEP encryption is processed, the optional parameters field ofRSA-OAEP SourceFunc algorithm identifier is examined without checkingfor its presence. This results in a NULL pointer dereference if the fieldis missing.Applications and services that call CMS_decrypt() on untrusted input(e.g., S/MIME processing or CMS-based protocols) are vulnerable.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 |
| CVE-2026-34933 |
5.5 (i)
| MEDIUM | avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4. | 2026-04-03 |
| CVE-2026-27447 |
4.8 (i)
| MEDIUM | cups | OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches. | 2026-04-03 |
| CVE-2026-3184 |
5.6 (i)
| MEDIUM | util-linux | A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. | 2026-04-03 |
| CVE-2026-35414 |
5.4 (i)
| MEDIUM | openssh | OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. | 2026-04-02 |
| CVE-2026-35388 |
2.5 (i)
| LOW | openssh | OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. | 2026-04-02 |
| CVE-2026-35387 |
3.1 (i)
| LOW | openssh | OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. | 2026-04-02 |
| CVE-2026-35386 |
3.6 (i)
| LOW | openssh | In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. | 2026-04-02 |
| CVE-2026-35385 |
7.5 (i)
| HIGH | openssh | In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). | 2026-04-02 |