SB2026041576 - Meinberg LANTIME firmware update for third-party components



SB2026041576 - Meinberg LANTIME firmware update for third-party components

Published: April 15, 2026

Security Bulletin ID SB2026041576
CSH Severity
Critical
Patch available
YES
Number of vulnerabilities 19
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 5% High 11% Medium 68% Low 16%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 19 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2026-0967)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the match_pattern() function when comparing configuration files or known hosts against the hostname. A local user with ability to modify the configuration file or known_hosts file can crash the application. 


2) Resource exhaustion (CVE-ID: CVE-2026-27171)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Resource exhaustion (CVE-ID: CVE-2026-0992)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


4) Uncontrolled Recursion (CVE-ID: CVE-2026-0990)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an uncontrolled recursion in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker can pass specially crafted input to the application and perform a denial of service attack.


5) Uncontrolled Recursion (CVE-ID: CVE-2026-0989)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an uncontrolled recursion in the RelaxNG parser. A remote attacker can pass specially crafted input to the application and perform a denial of service attack.


6) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2026-24061)

CWE-ID: CWE-88 - Argument Injection or Modification

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red


The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation when processing attacker-controlled USER environment variable. A remote non-authenticated attacker can simply connect to the remote server with a specially crafted environment variable and obtain root privileges. 

Exploitation example:

USER='-f root' telnet -a <host>



7) Out-of-bounds read (CVE-ID: CVE-2026-0968)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the sftp_parse_longname() function. A malicious SFTP server can send a specially crafted SSH_FXP_NAME message to trigger an out-of-bounds read and crash the application or read parts of system memory on the client system. 


8) Buffer underflow (CVE-ID: CVE-2026-0966)

CWE-ID: CWE-124 - Buffer Underwrite ('Buffer Underflow')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error within the ssh_get_hexa() function when reading zero-length input during GSSAPI authentication. A remote attacker can send specially crafted data to the application and perform a denial of service attack. 


9) Authentication Bypass by Primary Weakness (CVE-ID: CVE-2026-1965)

CWE-ID: CWE-305 - Authentication Bypass by Primary Weakness

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper reuse of HTTP Negotiate connection. A remote attacker can bypass authentication and gain access to the target system.


10) Input validation error (CVE-ID: CVE-2026-0965)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to crash the application.

The vulnerability exists due to insufficient validation of user-supplied input when parsing configuration filers. A local user can supply a specially crafted configuration and crash the application.


11) Path traversal (CVE-ID: CVE-2026-0964)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can trick the victim into connecting to a malicious SCP server and overwrite arbitrary files on the user's system. 


12) Heap-based buffer overflow (CVE-ID: CVE-2026-25646)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the png_set_quantize() API function. A remote attacker can pass specially crafted PNG image to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


13) Release of invalid pointer or reference (CVE-ID: CVE-2026-1584)

CWE-ID: CWE-763 - Release of invalid pointer or reference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to invalid pointer access in TLS 1.3 implementation. A remote attacker can send an invalid PSK binder value in ClientHello message and perform a denial of service attack. 


14) Resource exhaustion (CVE-ID: CVE-2025-14831)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when verifying certificates with a large amount of name constraints. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


15) Integer overflow (CVE-ID: CVE-2026-25210)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow within the doContent() function. A remote attacker can pass specially crafted XML data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


16) NULL pointer dereference (CVE-ID: CVE-2026-24515)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in XML_ExternalEntityParserCreate. A remote attacker can pass specially crafted XML data to the application and perform a denial of service (DoS) attack.


17) Use-after-free (CVE-ID: CVE-2026-3805)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when doing a second SMB request to the same host again. A remote attacker can gain access to sensitive information on the system.


18) Authentication Bypass by Primary Weakness (CVE-ID: CVE-2026-3784)

CWE-ID: CWE-305 - Authentication Bypass by Primary Weakness

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to wrong proxy connection reuse with credentials. A remote attacker can bypass authentication and gain access to the target system.


19) Insufficiently protected credentials (CVE-ID: CVE-2026-3783)

CWE-ID: CWE-522 - Insufficiently Protected Credentials

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to insufficiently protected credentials When the OAuth2 bearer token is used for an HTTP(S) transfer. A remote attacker can gain access to sensitive information on the system.


Remediation

Install update from vendor's website.