SB2026021956 - Splunk Enterprise Security update for third-party components
Published: February 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 20 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2025-58187)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to quadratic complexity when checking name constraints in crypto/x509. A remote attacker can pass a specially crafted x509 certificate to the application and trigger resource exhaustion.
2) Path traversal (CVE-ID: CVE-2025-27210)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to input validation error when processing directory traversal sequences affecting Windows device names like CON, PRN, and AUX. A local user can escalate privileges on the system.
Note, this vulnerability exists due to incomplete fix for #VU103223 (CVE-2025-23084).
3) Improper error handling (CVE-ID: CVE-2025-23166)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect error handling in async cryptographic operations within the SignTraits::DeriveBits() function. A remote attacker can send specially crafted input to the application can crash the Node.js runtime.
4) Resource exhaustion (CVE-ID: CVE-2025-61725)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the ParseAddress function in net/mail does not properly control consumption of internal resources. A remote attacker can compose a specially crafted email message that triggers excessive CPU consumption leading to denial of service.
5) Resource exhaustion (CVE-ID: CVE-2025-61724)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/textproto due to the Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. A remote attacker can trigger excessive CPU consumption and perform a denial of service (DoS) attack.
6) Resource exhaustion (CVE-ID: CVE-2025-61723)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/pem due to application does not properly control consumption of internal resources when parsing untrusted PEM input. A remote attacker can trigger CPU exhaustion and perform a denial of service (DoS) attack.
7) Improper Encoding or Escaping of Output (CVE-ID: CVE-2025-58189)
The vulnerability allows a remote attacker to perform spoofing attacks.
The vulnerability exists due to missing sanitization of input data when the Conn.Handshake fails during ALPN negotiation in crypto/tls. A remote attacker can pass specially crafted input via an error message and influence the application behavior, leading to a potential spoofing attack.
8) Input validation error (CVE-ID: CVE-2025-58188)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in crypto/x509 due to an error when validating certificate chains which contain DSA public keys. A remote attacker can pass a specially crafted certificate to the application and crash it.
9) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-58186)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/http due to the application does not limit the number of cookies sent in the request. A remote attacker can send a lot of very small cookies such as "a=;" and cause large memory consumption.
10) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-53643)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to not parsing trailer sections of an HTTP request. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
11) Resource exhaustion (CVE-ID: CVE-2025-58185)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/asn1 due to application does not properly control consumption of internal resources when parsing DER payloads. A remote attacker can trigger memory exhaustion and perform a denial of service (DoS) attack.
12) Resource exhaustion (CVE-ID: CVE-2025-58183)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in archive/tar due to the tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A remote attacker can pass a specially crafted archive to the application and perform a denial of service (DoS) attack.
13) Input validation error (CVE-ID: CVE-2025-47912)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists in net/url due to the Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. A remote attacker can abuse such behavior to perform spoofing attacks.
14) Race condition (CVE-ID: CVE-2025-47907)
The vulnerability allows an attacker to tamper with the application.
The vulnerability exists due to a race condition when canceling a DB query. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system. A remote user can overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
15) Input validation error (CVE-ID: CVE-2025-47906)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of the PATH environment variable in LookPath. A local user can pass specially crafted strings to the application and execute arbitrary OS commands with elevated privileges.
16) Information disclosure (CVE-ID: CVE-2025-4673)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to sensitive Proxy-Authorization and Proxy-Authenticate headers are not cleared on cross-origin redirect in net/http. A remote attacker can gain access to credentials passed via these headers.
17) Protection Mechanism Failure (CVE-ID: CVE-2025-22874)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in crypto/x509 when using ExtKeyUsageAny. When calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny it disables policy validation.
This only affected certificate chains which contain policy graphs, which are rather uncommon.
18) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-22871)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests when handling chunked data in net/http. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
19) Link following (CVE-ID: CVE-2025-0913)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an insecure link following issue within the os.OpenFile(path, os.O_CREATE|O_EXCL) method when handling dangling symlinks on Windows systems. A local user can create a specially crafted symbolic link and write arbitrary files to the system.
20) Out-of-bounds write (CVE-ID: CVE-2025-9230)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when trying to decrypt CMS messages encrypted using password based encryption. A remote attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.
Successful exploitation of the vulnerability requires that password based (PWRI) encryption support in CMS messages is enabled.
Remediation
Install update from vendor's website.