SB2026021026 - Meinberg LANTIME firmware update for third-party components
Published: February 10, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2025-15468)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the SSL_CIPHER_find() function. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
2) Type confusion (CVE-ID: CVE-2026-22796)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a type confusion error within the PKCS7_digest_from_attributes() function. A remote attacker can pass specially crafted PKCS#7 data to the application, trigger a type confusion error and perform a denial of service attack.
3) NULL pointer dereference (CVE-ID: CVE-2026-22795)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when parsing PKCS#12 file. A remote attacker can pass a specially crafted PKCS#12 file to the application and perform a denial of service (DoS) attack.
4) NULL pointer dereference (CVE-ID: CVE-2025-69421)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the PKCS12_item_decrypt_d2i_ex function. A remote attacker can pass a specially crafted PKCS#12 file to the application and perform a denial of service (DoS) attack.
5) Type Confusion (CVE-ID: CVE-2025-69420)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a type confusion error within the TS_RESP_verify_response() function when handling ASN1_TYPE data.. A remote attacker can pass a malformed TimeStamp Response to the application and perform a denial of service attack.
6) Out-of-bounds write (CVE-ID: CVE-2025-69419)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error within the PKCS12_get_friendlyname() function when parsing PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point. A remote attacker can pass a specially crafted PKCS#12 file to the application, trigger an out-of-bounds write and perform a denial of service attack.
7) Cleartext transmission of sensitive information (CVE-ID: CVE-2025-69418)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the trailing 1-15 bytes of a message may be exposed in cleartext on encryption and are not covered by the authentication tag. When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. A remote attacker can intercept traffic and gain access to potentially sensitive information.
8) Out-of-bounds write (CVE-ID: CVE-2025-68160)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error within the BIO filter (BIO_f_linebuffer). A remote attacker can pass an overly long string to the application, trigger an out-of-bounds write and perform a denial of service attack.
9) Resource exhaustion (CVE-ID: CVE-2025-66199)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in CompressedCertificate. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected.
Servers that do not request client certificates are not vulnerable to client-initiated attacks.
10) Stack-based buffer overflow (CVE-ID: CVE-2025-15467)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters. A remote attacker can supply a specially crafted CMS message with an oversized IV, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Reachable assertion (CVE-ID: CVE-2025-13878)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when handling BRID/HHIT records. A remote attacker can send a specially crafted DNS request to the server and perform a denial of service attack.
12) Stack-based buffer overflow (CVE-ID: CVE-2025-11187)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when parsing PKCS#12 files. A remote attacker can pass a specially crafted PKCS#12 file to the application, trigger a stack-based buffer overflow and perform a denial of service attack.
13) Out-of-bounds read (CVE-ID: CVE-2025-66293)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the png_image_read_composite() function. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
14) Out-of-bounds read (CVE-ID: CVE-2026-22801)
The vulnerability allows a remote attacker to gain access to potentially sensitive information or crash the application.
The vulnerability exists due to integer truncation within the png_write_image_16bit() and png_write_image_8bit() functions. A remote attacker can supply a specially crafted PNG file to the application, trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service attack.
15) Heap-based buffer overflow (CVE-ID: CVE-2025-65018)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the png_image_finish_read() function when processing 16-bit interlaced PNGs with 8-bit output format. A remote attacker can pass a specially crafted image file to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Out-of-bounds read (CVE-ID: CVE-2026-22695)
The vulnerability allows a remote attacker to gain access to potentially sensitive information or crash the application.
The vulnerability exists due to a boundary condition within the png_image_finish_read() function when reading 16-bit PNG images with 8-bit output format and non-minimal row stride. A remote attacker can supply a specially crafted PNG image file to the application, trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service attack.
Note, the vulnerability exists due to an incomplete fix for #VU118777 (CVE-2025-65018).
17) Improper authentication (CVE-ID: CVE-2025-15224)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication. In such case the curl would wrongly still ask and authenticate using a locally running SSH agent.
Note, the vulnerability affects libcurl builds that use libssh backend instead of libssh2.
18) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-15079)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists during SSH-based transfers due to the library mistakenly accepts connections to hosts not present in the specified file if they were added as recognized in the libssh global knownhosts file. A remote attacker can perform a MitM attack.
Note, the vulnerability affects libcurl builds that use libssh backend instead of libssh2.
19) Improper Certificate Validation (CVE-ID: CVE-2025-14819)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the way libcurl handles TLS transfers when using the CURLSSLOPT_NO_PARTIALCHAIN option. A remote attacker can trick the library into re-using a CA store cached in memory for which the partial chain option was reversed, leading to store policy bypass and a potential MitM attack.
20) Insufficiently protected credentials (CVE-ID: CVE-2025-14524)
The vulnerability allows an attacker to obtain bearer token,
The vulnerability exists due to an error when handling cross-protocol redirects. When an oauth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
21) Unsynchronized access to shared data in a multithreaded context (CVE-ID: CVE-2025-14017)
The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when performing multithreaded LDAPS transfers (LDAP over TLS) with libcurl. Changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. For example, disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well, leading to a MitM attacks against other websites.
22) Protection Mechanism Failure (CVE-ID: CVE-2025-13034)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool, curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor.
To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verifiation.
Remediation
Install update from vendor's website.