Bug#1135323: wireshark: CVE-2026-5299 CVE-2026-5401 CVE-2026-5402 CVE-2026-5406 CVE-2026-5407 CVE-2026-5408 CVE-2026-5409 CVE-2026-5653 CVE-2026-5654 CVE-2026-5655 CVE-2026-5657 CVE-2026-6519 CVE-2026-6520 CVE-2026-6521 CVE-2026-6522 CVE-2026-6523 CVE-2026-6524 CVE-2026-6526 CVE-2026-6527 CVE-2026-6528 CVE-2026-6529 CVE-2026-6530 CVE-2026-6531 CVE-2026-6532 CVE-2026-6533 CVE-2026-6534 CVE-2026-6535 CVE-2026-6536 CVE-2026-6537 CVE-2026-6538 CVE-2026-6867 CVE-2026-6868 CVE-2026-6869 CVE-2026-6870 CVE-2026-7375 CVE-2026-7376 CVE-2026-7378 CVE-2026-7379

Salvatore Bonaccorso Tue, 05 May 2026 07:29:13 -0700

Hi,

On Sun, May 03, 2026 at 11:13:59AM -0300, Carlos Henrique Lima Melara wrote:
> Hi,
> 
> I'm reviewing Matheus Polkorny's changes for 4.4.15 security update and
> found that CVE-2026-6526 might affect 4.4.x. It's not mentioned in the
> release notes nor in wnpa-sec-2026-35, but the fix was merged [1] in the
> 4.4 stable branch. I've asked for a clarification from upstream [2].


To loop back:

|The function is called in fewer places in 4.4.x (the POC doesn't work
|on 4.4) and by inspection it appears that all the times that it is
|called in 4.4 the prefix is guaranteed to exist via other checks
|beforehand. However, out of an abundance of caution it didn't hurt to
|cherry pick the fix.

So I believe we can keep the tracking as it is now.

Regards,
Salvatore

Reply via email to