SB2026012829 - Tenable Network Monitor update for third-party components
Published: January 28, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) Use of insufficiently random values (CVE-ID: CVE-2025-10148)
The vulnerability allows a remote attacker to perform cache poisoning.
The vulnerability exists due to the websocket code does not update the 32 bit mask pattern for each new outgoing frame as the specification says.Instead it used a fixed mask that persisted and was used throughout the entire connection. As a result, a malicious server can induce traffic between the two communicating parties that can be interpreted by an involved proxy and poison cached content.
2) Use-after-free (CVE-ID: CVE-2024-0232)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the jsonParseAddNodeArray() function in sqlite3.c. A remote attacker can pass specially crafted json data to the application and perform a denial of service (DoS) attack.
3) Out-of-bounds read (CVE-ID: CVE-2023-7104)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the sessionReadRecord() function in ext/session/sqlite3session.c when processing a corrupt changeset. A remote user can send a specially crafted request to trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service attack.
4) Improper authentication (CVE-ID: CVE-2025-15224)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication. In such case the curl would wrongly still ask and authenticate using a locally running SSH agent.
Note, the vulnerability affects libcurl builds that use libssh backend instead of libssh2.
5) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-15079)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists during SSH-based transfers due to the library mistakenly accepts connections to hosts not present in the specified file if they were added as recognized in the libssh global knownhosts file. A remote attacker can perform a MitM attack.
Note, the vulnerability affects libcurl builds that use libssh backend instead of libssh2.
6) Improper Certificate Validation (CVE-ID: CVE-2025-14819)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the way libcurl handles TLS transfers when using the CURLSSLOPT_NO_PARTIALCHAIN option. A remote attacker can trick the library into re-using a CA store cached in memory for which the partial chain option was reversed, leading to store policy bypass and a potential MitM attack.
7) Insufficiently protected credentials (CVE-ID: CVE-2025-14524)
The vulnerability allows an attacker to obtain bearer token,
The vulnerability exists due to an error when handling cross-protocol redirects. When an oauth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
8) Unsynchronized access to shared data in a multithreaded context (CVE-ID: CVE-2025-14017)
The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when performing multithreaded LDAPS transfers (LDAP over TLS) with libcurl. Changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. For example, disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well, leading to a MitM attacks against other websites.
9) Protection Mechanism Failure (CVE-ID: CVE-2025-13034)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool, curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor.
To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verifiation.
10) Key Exchange without Entity Authentication (CVE-ID: CVE-2025-10966)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to missing SFTP host key verification when using wolfSSH powered backend. A remote attacker can perform MitM attack.
11) Improper Certificate Validation (CVE-ID: CVE-2025-5025)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to libcurl does not perform pinning of the server certificate public key for HTTPS transfers when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. A remote attacker can perform Man-in-the-middle (MitM) attack and track the victim into connecting to a malicious server.
12) Improper Certificate Validation (CVE-ID: CVE-2025-4947)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to missing certificate validation for QUIC connections when connecting to a host specified as an IP address in the URL. A remote attacker can perform Man-in-the-middle (MitM) attack.
Note, successful exploitation of the vulnerability requires wolfSSL to be used as the TLS backend for QUIC to trigger.
13) Use-after-free (CVE-ID: CVE-2025-31498)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the read_answers() function. A remote attacker can send specially crafted ICMP UNREACHABLE packets to the application, trigger a use-after-free error and execute arbitrary code on the system.
14) Use-after-free (CVE-ID: CVE-2025-62408)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a use-after-free error within the read_answer() function when process_answer() terminates a query such as after maximum attempts. A remote attacker can perform a denial of service attack.
Note, the vulnerability exists due to an incomplete fix for #VU107155 (CVE-2025-31498).
15) Resource exhaustion (CVE-ID: CVE-2025-59375)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger large dynamic memory allocations via a small document and perform a denial of service (DoS) attack.
16) Stack-based buffer overflow (CVE-ID: CVE-2024-8176)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling XML content. A remote attacker can pass specially crafted XML content to the application, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Type Confusion (CVE-ID: CVE-2025-11731)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a type confusion error within the exsltFuncResultComp() function when handling EXSLT elements during stylesheet parsing. A remote attacker can pass specially crafted XML data to the application, trigger a type confusion error and perform a denial of service (DoS) attack.
18) Use-after-free (CVE-ID: CVE-2025-7425)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the xsltSetSourceNodeFlags() function. A remote attacker can pass specially crafted XML input to the application, trigger memory corruption and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
19) Use-after-free (CVE-ID: CVE-2025-10911)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error when parsing xsl nodes. A remote attacker can pass a specially crafted XML file to the application and crash it.
20) Type Confusion (CVE-ID: CVE-2025-49796)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a type confusion error within the xmlSchematronFormatReport() function when processing sch:name elements in schematron.c. A remote attacker can pass specially crafted data to the application, trigger a type confusion error and crash the application.
21) Use-after-free (CVE-ID: CVE-2025-49794)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the xmlSchematronGetNode() function when processing XPath expressions in Schematron schema elements schematron.c. A remote attacker can pass specially crafted XML input to the application and perform a denial of service (DoS) attack.
22) Integer overflow (CVE-ID: CVE-2025-6021)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the xmlBuildQName() function in tree.c . A remote attacker can pass specially crafted data to the application, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.