SB2026012076 - Multiple vulnerabilities in Oracle Solaris
Published: January 20, 2026 Updated: February 6, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 34 secuirty vulnerabilities.
1) Infinite loop (CVE-ID: CVE-2025-13946)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the MEGACO dissector. A remote attacker can send specially crafted data over the network, consume all available system resources and cause denial of service conditions.
2) Protection mechanism failure (CVE-ID: CVE-2025-14331)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in the Request Handling component. A remote attacker can trick the victim into visiting a specially crafted website and bypass Same-Origin policy.
3) Buffer overflow (CVE-ID: CVE-2025-14333)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CVE-ID: CVE-2025-58098)
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to insufficient input validation with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi). The web server passes the shell-escaped query string to #exec cmd="..." directives. A remote attacker can send a specially crafted HTTP request to the server and potentially execute arbitrary code.
5) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-59775)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when AllowEncodedSlashes is "On" and MergeSlashes is "Off". A remote attacker can send a specially crafted HTTP request and force the web server into leaking NTLM hashes.
Note, the vulnerability affects Windows installations only.
6) Code injection (CVE-ID: CVE-2025-65082)
The vulnerability allows a local user to affect web server behavior.
The vulnerability exists due to improper input validation when handling environment variables set via the Apache configuration. A local user can set specially crafted values that supersede variables calculated by the server for CGI programs.
7) Input validation error (CVE-ID: CVE-2025-66200)
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when parsing the RequestHeader directive in .htaccess files. A local user can bypass mod_userdir+suexec security measures via AllowOverride FileInfo and run certain CGI scripts under an unexpected userid.
8) Input validation error (CVE-ID: CVE-2025-13945)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in HTTP3 dissector when decrypting traffic using a keylog file or loading a capture file that contains decryption secrets. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
9) Resource management error (CVE-ID: CVE-2025-64460)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the django.core.serializers.xml_serializer.getInnerText() function of XML Deserializer when handling XML data. A remote attacker can pass specially crafted XML input to the application and perform a denial of service (DoS) attack.
10) Improper privilege management (CVE-ID: CVE-2025-14329)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper privilege management in the Netmonitor component. A remote attacker can trick the victim into visiting a specially crafted website and bypass implemented security restrictions.
11) Input validation error (CVE-ID: CVE-2025-9817)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the SSH dissector. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
12) OS Command Injection (CVE-ID: CVE-2023-51385)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing user names, if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. A remote attacker can execute arbitrary OS commands via an untrusted Git repository.
13) Protection mechanism failure (CVE-ID: CVE-2025-32728)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to software does not properly handle the DisableForwarding directive, which does not disable X11 forwarding and agent forwarding as documented. A remote user can bypass expected application's behavior and bypass implemented security restrictions.
14) Improper Neutralization of Null Byte or NUL Character (CVE-ID: CVE-2025-61985)
The vulnerability allows a remote attacker to execute arbitrary OS commands on the system.
The vulnerability exists due to incorrect handling of the nullbyte character in an ssh:// URI if a ProxyCommand that uses the %r expansion was configured. A remote attacker can trick the victim into using a specially crafted ssh command to connect to a remote server and execute arbitrary OS commands on the system.
This vulnerability affects ssh client command and does not affect the sshd daemon.
15) Input validation error (CVE-ID: CVE-2025-14330)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due JIT miscompilation in the JavaScript Engine JIT component. A remote attacker can trick the victim into visiting a specially crafted website and bypass implemented security restrictions.
16) Improper privilege management (CVE-ID: CVE-2025-14328)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper privilege management in the Netmonitor component. A remote attacker can trick the victim into visiting a specially crafted website and bypass implemented security restrictions.
17) OS Command Injection (CVE-ID: CVE-2025-10230)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in WINS server. A remote attacker can send a specially crafted hostname to the server containing shell commands and execute arbitrary OS commands on the target system.
18) Acceptance of Extraneous Untrusted Data With Trusted Data (CVE-ID: CVE-2025-5994)
The vulnerability allows a remote attacker to perform cache poisoning attacks.
The vulnerability exists due to a logic error in the EDNS Client Subnet (ECS) implementation. A remote attacker can perform cache poisoning attacks against Unbound servers with ECS support, a.k.a. Rebirthday Attack.
Successful exploitation of the vulnerability requires that the server is compiled with '--enable-subnet' and configured to send ECS information to upstream name servers with at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options.
19) Information exposure through externally-generated error message (CVE-ID: CVE-2025-62168)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application while handling error conditions. A remote authenticated user can identify security tokens or credentials used internally by a web application using Squid for backend load balancing.
20) Use-after-free (CVE-ID: CVE-2025-14321)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the the WebRTC Signaling component. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
21) Integer overflow (CVE-ID: CVE-2025-55753)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to an integer overflow in mod_md (ACME) in the case of failed ACME certificate renewal. The web server will set the backoff timer becoming 0 after a number of failures (~30 days in default configurations), leading to a denial of service condition.
22) Input validation error (CVE-ID: CVE-2025-13499)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the Kafka dissector. A remote attacker can trick a victim to read a malformed packet trace file and perform a denial of service (DoS) attack.
23) Out-of-bounds read (CVE-ID: CVE-2025-11021)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when parsing cookies with specially crafted expiration dates. A remote attacker can trick the victim into visiting a specially crafted website, trigger an out-of-bounds read error and read contents of memory on the system.
24) Use-after-free (CVE-ID: CVE-2025-12105)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a use-after-free error in the queue item management logic. A remote attacker can send a specially crafted response to the application and perform a denial of service attack.
25) SQL injection (CVE-ID: CVE-2025-13372)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in FilteredRelation when handling column aliases. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
26) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2019-18860)
The vulnerability allows a remote attacker to perform cache poisoning attack.
The vulnerability exists due to improper input validation of HTML code within the hostname parameter in cachemgr.cgi. A remote attacker can send a specially crated HTTP request and poison the cache.
27) Input validation error (CVE-ID: CVE-2025-14325)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due JIT miscompilation in the JavaScript Engine JIT component. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.
28) Insufficient verification of data authenticity (CVE-ID: CVE-2025-11411)
The vulnerability allows a remote attacker to poison DNS cache.
The vulnerability exists due to incorrect processing of DNS responses contain NS RRSets records. A remote attacker can poison DNS cache of the affected server.29) Infinite loop (CVE-ID: CVE-2025-11626)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in MONGO dissector. A remote attacker can consume all available system resources and cause denial of service conditions.
30) OS Command Injection (CVE-ID: CVE-2025-61984)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper validation of control characters in usernames obtained from an untrusted source (such as command line and %-sequence expansion of a configuration file). A remote attacker can trick the victim into initiating an ssh connection using a specially crafted configuration file and execute arbitrary shell commands on the system.
This vulnerability affects ssh client command and does not affect the sshd daemon.
31) Out-of-bounds read (CVE-ID: CVE-2025-9640)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote user can trigger an out-of-bounds read error and read contents of memory on the system.
32) Buffer overflow (CVE-ID: CVE-2025-14322)
The vulnerability allows a remote attacker to escape sandbox restrictions.
The vulnerability exists due to a boundary error in the Graphics CanvasWebGL component. A remote attacker can trick the victim into visiting a specially craft6ed website, trigger memory corruption and escape sandbox restrictions.
33) Improper privilege management (CVE-ID: CVE-2025-14323)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper privilege management in the DOM Notifications component. A remote attacker can trick the victim into visiting a specially crafted website and bypass implemented security restrictions.
34) Input validation error (CVE-ID: CVE-2025-14324)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due JIT miscompilation in the JavaScript Engine JIT component. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.
Remediation
Install update from vendor's website.