CWE-696
Incorrect Behavior Order
The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses.
CVE-2024-35229 (GCVE-0-2024-35229)
Vulnerability from cvelistv5 – Published: 2024-05-27 16:20 – Updated: 2024-09-03 16:03
VLAI
Title
ZKsync Era evaluation order of Yul function arguments
Summary
ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to version 1.3.10, there is a very specific pattern `f(a(),b()); check_if_a_executed_last()` in Yul that exposes a bug in evaluation order of Yul function arguments. This vulnerability has been fixed in version 1.3.10. As a workaround, update and redeploy affected contracts.
Severity
5.3 (Medium)
CWE
- CWE-696 - Incorrect Behavior Order
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/matter-labs/era-compiler-solid… | x_refsource_CONFIRM |
| https://github.com/matter-labs/era-compiler-solid… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| matter-labs | era-compiler-solidity |
Affected:
< 1.3.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/matter-labs/era-compiler-solidity/security/advisories/GHSA-jf9w-7f5g-j95p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/matter-labs/era-compiler-solidity/security/advisories/GHSA-jf9w-7f5g-j95p"
},
{
"name": "https://github.com/matter-labs/era-compiler-solidity/commit/46ce047b51576495779b9f67534207d8154eab79",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/matter-labs/era-compiler-solidity/commit/46ce047b51576495779b9f67534207d8154eab79"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:matter-labs:era-compiler-solidity:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "era-compiler-solidity",
"vendor": "matter-labs",
"versions": [
{
"lessThan": "1.3.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35229",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T20:53:12.579727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T16:03:02.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "era-compiler-solidity",
"vendor": "matter-labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to version 1.3.10, there is a very specific pattern `f(a(),b()); check_if_a_executed_last()` in Yul that exposes a bug in evaluation order of Yul function arguments. This vulnerability has been fixed in version 1.3.10. As a workaround, update and redeploy affected contracts.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696: Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-27T16:20:27.432Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/matter-labs/era-compiler-solidity/security/advisories/GHSA-jf9w-7f5g-j95p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/matter-labs/era-compiler-solidity/security/advisories/GHSA-jf9w-7f5g-j95p"
},
{
"name": "https://github.com/matter-labs/era-compiler-solidity/commit/46ce047b51576495779b9f67534207d8154eab79",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/matter-labs/era-compiler-solidity/commit/46ce047b51576495779b9f67534207d8154eab79"
}
],
"source": {
"advisory": "GHSA-jf9w-7f5g-j95p",
"discovery": "UNKNOWN"
},
"title": "ZKsync Era evaluation order of Yul function arguments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35229",
"datePublished": "2024-05-27T16:20:27.432Z",
"dateReserved": "2024-05-14T15:39:41.785Z",
"dateUpdated": "2024-09-03T16:03:02.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0150 (GCVE-0-2025-0150)
Vulnerability from cvelistv5 – Published: 2025-03-11 17:06 – Updated: 2025-03-11 18:47
VLAI
Title
Zoom Workplace Apps for iOS - Incorrect Behavior Order
Summary
Incorrect behavior order in some Zoom Workplace Apps for iOS before version 6.3.0 may allow an authenticated user to conduct a denial of service via network access.
Severity
7.1 (High)
CWE
- CWE-696 - Incorrect Behavior Order
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Zoom Communications, Inc | Zoom Workplace Apps for iOS |
Affected:
0 , < 6.3.0
(custom)
|
Date Public
2025-03-11 12:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-11T18:46:54.754347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T18:47:03.336Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "Zoom Workplace Apps for iOS",
"vendor": "Zoom Communications, Inc",
"versions": [
{
"lessThan": "6.3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-03-11T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect behavior order in some Zoom Workplace Apps for iOS before version 6.3.0 may allow an authenticated user to conduct a denial of service via network access.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Incorrect behavior order in some Zoom Workplace Apps for iOS before version 6.3.0 may allow an authenticated user to conduct a denial of service via network access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696: Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T17:06:43.951Z",
"orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
"shortName": "Zoom"
},
"references": [
{
"url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25009/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Zoom Workplace Apps for iOS - Incorrect Behavior Order",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
"assignerShortName": "Zoom",
"cveId": "CVE-2025-0150",
"datePublished": "2025-03-11T17:06:43.951Z",
"dateReserved": "2024-12-23T21:42:59.174Z",
"dateUpdated": "2025-03-11T18:47:03.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20012 (GCVE-0-2025-20012)
Vulnerability from cvelistv5 – Published: 2025-05-13 21:01 – Updated: 2025-11-03 19:35
VLAI
Summary
Incorrect behavior order for some Intel(R) Core™ Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access.
Severity
4.9 (Medium)
CWE
- Information Disclosure
- CWE-696 - Incorrect Behavior Order
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Intel(R) Core™ Ultra Processors |
Affected:
See references
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20012",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T20:19:54.668389Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:36:01.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:35:20.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Intel(R) Core\u2122 Ultra Processors",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "See references"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect behavior order for some Intel(R) Core\u2122 Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "PHYSICAL",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en"
},
{
"cweId": "CWE-696",
"description": "Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T21:01:33.504Z",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"name": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01322.html",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01322.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2025-20012",
"datePublished": "2025-05-13T21:01:33.504Z",
"dateReserved": "2025-01-24T04:00:26.691Z",
"dateUpdated": "2025-11-03T19:35:20.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31485 (GCVE-0-2025-31485)
Vulnerability from cvelistv5 – Published: 2025-04-03 19:31 – Updated: 2025-04-08 13:15
VLAI
Title
GraphQL grant on a property might be cached with different objects
Summary
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17.
Severity
7.5 (High)
CWE
- CWE-696 - Incorrect Behavior Order
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/commit/7af65… | x_refsource_MISC |
| https://github.com/api-platform/core/commit/cba3a… | x_refsource_MISC |
| https://github.com/api-platform/core/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 4.0.0-alpha.1, < 4.0.22
Affected: < 3.4.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T19:59:34.529256Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:59:57.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-alpha.1, \u003c 4.0.22"
},
{
"status": "affected",
"version": "\u003c 3.4.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\\GraphQl\\Serializer\\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696: Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T13:15:23.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3"
},
{
"name": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8"
},
{
"name": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a"
},
{
"name": "https://github.com/api-platform/core/releases/tag/v3.4.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
}
],
"source": {
"advisory": "GHSA-428q-q3vv-3fq3",
"discovery": "UNKNOWN"
},
"title": "GraphQL grant on a property might be cached with different objects"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31485",
"datePublished": "2025-04-03T19:31:46.021Z",
"dateReserved": "2025-03-28T13:36:51.298Z",
"dateUpdated": "2025-04-08T13:15:23.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48965 (GCVE-0-2025-48965)
Vulnerability from cvelistv5 – Published: 2025-07-20 00:00 – Updated: 2025-11-03 20:04
VLAI
Summary
Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero.
Severity
4 (Medium)
CWE
- CWE-696 - Incorrect Behavior Order
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48965",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T14:32:31.061413Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T15:16:20.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:04:59.015Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "mbedtls",
"vendor": "Mbed",
"versions": [
{
"lessThan": "3.6.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mbed:mbedtls:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696 Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-20T17:57:03.445Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/"
},
{
"url": "https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-6.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48965",
"datePublished": "2025-07-20T00:00:00.000Z",
"dateReserved": "2025-05-29T00:00:00.000Z",
"dateUpdated": "2025-11-03T20:04:59.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55114 (GCVE-0-2025-55114)
Vulnerability from cvelistv5 – Published: 2025-09-16 12:20 – Updated: 2025-09-16 13:17
VLAI
Title
BMC Control-M/Agent improper IP address filtering order
Summary
The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion.
Severity
5.3 (Medium)
CWE
- CWE-696 - Incorrect Behavior Order
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bmcapps.my.site.com/casemgmt/sc_Knowledge… | vendor-advisory |
| https://bmcapps.my.site.com/casemgmt/sc_Knowledge… | mitigation |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BMC | Control-M/Agent |
Unaffected:
9.0.21
(semver)
Affected: 9.0.20 (semver) Affected: 9.0.19 (semver) Affected: 9.0.18 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T13:17:25.002139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:17:35.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Control-M/Agent",
"vendor": "BMC",
"versions": [
{
"status": "unaffected",
"version": "9.0.21",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.0.20",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.0.19",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.0.18",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Airbus SAS - Jean-Romain Garnier - seclab@airbus.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eThe improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696 Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T12:20:30.958Z",
"orgId": "24a3c815-5f22-4d74-967a-30958d6466f4",
"shortName": "airbus"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099"
},
{
"tags": [
"mitigation"
],
"url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441968"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "BMC Control-M/Agent improper IP address filtering order",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "24a3c815-5f22-4d74-967a-30958d6466f4",
"assignerShortName": "airbus",
"cveId": "CVE-2025-55114",
"datePublished": "2025-09-16T12:20:30.958Z",
"dateReserved": "2025-08-07T07:24:22.470Z",
"dateUpdated": "2025-09-16T13:17:35.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9904 (GCVE-0-2025-9904)
Vulnerability from cvelistv5 – Published: 2025-09-29 00:46 – Updated: 2026-03-15 23:38
VLAI
Summary
Unallocated memory access vulnerability in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer Driver / Generic Plus PS Printer Driver / UFRII LT Printer Driver / CARPS2 Printer Driver / Generic FAX Driver / LIPS4 Printer Driver / LIPSLX Printer Driver / UFR II Printer Driver / PS Printer Driver / PCL6 Printer Driver
Severity
5.3 (Medium)
CWE
- CWE-696 - Incorrect Behavior Order
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://psirt.canon/advisory-information/cp2025-005/ | vendor-advisory |
| https://canon.jp/support/support-info/250925vulne… | vendor-advisory |
| https://www.usa.canon.com/about-us/to-our-custome… | vendor-advisory |
| https://www.canon-europe.com/support/product-security/ | vendor-advisory |
Impacted products
13 products
| Vendor | Product | Version | |
|---|---|---|---|
| Canon Inc. | Generic Plus PCL6 Printer Driver |
Affected:
3.30 and earlier
|
|
| Canon Inc. | Generic Plus UFR II Printer Driver |
Affected:
3.30 and earlier
|
|
| Canon Inc. | Generic Plus LIPS4 Printer Driver |
Affected:
3.30 and earlier
|
|
| Canon Inc. | Generic Plus LIPSLX Printer Driver |
Affected:
3.30 and earlier
|
|
| Canon Inc. | Generic Plus PS Printer Driver |
Affected:
3.30 and earlier
|
|
| Canon Inc. | UFRII LT Printer Driver |
Affected:
31.05 and earlier
|
|
| Canon Inc. | CARPS2 Printer Driver |
Affected:
31.05 and earlier
|
|
| Canon Inc. | Generic FAX Driver |
Affected:
10.67 and earlier
|
|
| Canon Inc. | LIPS4 Printer Driver |
Affected:
15.00 and earlier
|
|
| Canon Inc. | LIPSLX Printer Driver |
Affected:
15.00 and earlier
|
|
| Canon Inc. | UFR II Printer Driver |
Affected:
15.00 and earlier
|
|
| Canon Inc. | PS Printer Driver |
Affected:
15.00 and earlier
|
|
| Canon Inc. | PCL6 Printer Driver |
Affected:
15.00 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T11:51:02.961297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T11:51:13.329Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Generic Plus PCL6 Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "3.30 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Generic Plus UFR II Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "3.30 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Generic Plus LIPS4 Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "3.30 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Generic Plus LIPSLX Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "3.30 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Generic Plus PS Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "3.30 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UFRII LT Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "31.05 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CARPS2 Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "31.05 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Generic FAX Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "10.67 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "LIPS4 Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "15.00 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "LIPSLX Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "15.00 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UFR II Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "15.00 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PS Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "15.00 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PCL6 Printer Driver",
"vendor": "Canon Inc.",
"versions": [
{
"status": "affected",
"version": "15.00 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unallocated memory access vulnerability in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer Driver / Generic Plus PS Printer Driver / UFRII LT Printer Driver / CARPS2 Printer Driver / Generic FAX Driver / LIPS4 Printer Driver / LIPSLX Printer Driver / UFR II Printer Driver / PS Printer Driver / PCL6 Printer Driver"
}
],
"value": "Unallocated memory access vulnerability in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer Driver / Generic Plus PS Printer Driver / UFRII LT Printer Driver / CARPS2 Printer Driver / Generic FAX Driver / LIPS4 Printer Driver / LIPSLX Printer Driver / UFR II Printer Driver / PS Printer Driver / PCL6 Printer Driver"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696: Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-15T23:38:21.389Z",
"orgId": "f98c90f0-e9bd-4fa7-911b-51993f3571fd",
"shortName": "Canon"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://psirt.canon/advisory-information/cp2025-005/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://canon.jp/support/support-info/250925vulnerability-response"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.usa.canon.com/about-us/to-our-customers/cp2025-005-vulnerabilities-remediation-for-certain-printer-drivers-for-production-printers-office-small-office-multifunction-printers-laser-printers"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.canon-europe.com/support/product-security/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f98c90f0-e9bd-4fa7-911b-51993f3571fd",
"assignerShortName": "Canon",
"cveId": "CVE-2025-9904",
"datePublished": "2025-09-29T00:46:03.660Z",
"dateReserved": "2025-09-03T07:03:50.381Z",
"dateUpdated": "2026-03-15T23:38:21.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33305 (GCVE-0-2026-33305)
Vulnerability from cvelistv5 – Published: 2026-03-19 20:30 – Updated: 2026-03-21 03:31
VLAI
Title
OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor
Summary
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods — including `getNotificationLog()`, which returns patient appointment data (PHI) — regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue.
Severity
5.4 (Medium)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/openemr/openemr/security/advis… | x_refsource_CONFIRM |
| https://github.com/openemr/openemr/commit/edb6593… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33305",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-21T03:30:52.867142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T03:31:08.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openemr",
"vendor": "openemr",
"versions": [
{
"status": "affected",
"version": "\u003c 8.0.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods \u2014 including `getNotificationLog()`, which returns patient appointment data (PHI) \u2014 regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696: Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T20:30:57.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc"
},
{
"name": "https://github.com/openemr/openemr/commit/edb65936e259b2625e8eea4628316c4577cb2a11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openemr/openemr/commit/edb65936e259b2625e8eea4628316c4577cb2a11"
}
],
"source": {
"advisory": "GHSA-r973-h5cq-35rc",
"discovery": "UNKNOWN"
},
"title": "OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33305",
"datePublished": "2026-03-19T20:30:57.300Z",
"dateReserved": "2026-03-18T18:55:47.428Z",
"dateUpdated": "2026-03-21T03:31:08.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35386 (GCVE-0-2026-35386)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:44 – Updated: 2026-04-03 03:55
VLAI
Summary
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
Severity
CWE
- CWE-696 - Incorrect Behavior Order
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T03:55:45.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSH",
"vendor": "OpenBSD",
"versions": [
{
"lessThan": "10.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696 Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:15:59.616Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.openssh.org/releasenotes.html#10.3p1"
},
{
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=177513443901484\u0026w=2"
},
{
"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-35386",
"datePublished": "2026-04-02T16:44:27.806Z",
"dateReserved": "2026-04-02T16:44:27.451Z",
"dateUpdated": "2026-04-03T03:55:45.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35627 (GCVE-0-2026-35627)
Vulnerability from cvelistv5 – Published: 2026-04-09 21:26 – Updated: 2026-04-10 12:32 X_Open Source
VLAI
Title
OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling
Summary
OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.
Severity
6.5 (Medium)
CWE
- CWE-696 - Incorrect Behavior Order
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | third-party-advisory |
| https://github.com/openclaw/openclaw/commit/630f1… | patch |
| https://github.com/openclaw/openclaw/commit/1ee96… | patch |
| https://www.vulncheck.com/advisories/openclaw-una… | third-party-advisory |
Impacted products
Date Public
2026-03-24 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T12:31:53.149186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T12:32:16.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.3.22",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2026.3.22",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.3.22",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Karan Kurani (@kuranikaran)"
}
],
"datePublic": "2026-03-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696: Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T21:26:59.196Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-65h8-27jh-q8wv)",
"tags": [
"third-party-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv"
},
{
"name": "Patch Commit #1",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
},
{
"name": "Patch Commit #2",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77"
},
{
"name": "VulnCheck Advisory: OpenClaw \u003c 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-unauthenticated-cryptographic-work-in-nostr-inbound-dm-handling"
}
],
"tags": [
"x_open-source"
],
"title": "OpenClaw \u003c 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-35627",
"datePublished": "2026-04-09T21:26:59.196Z",
"dateReserved": "2026-04-04T12:29:42.738Z",
"dateUpdated": "2026-04-10T12:32:16.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.