CTRL-OS Security Tracker
This is the security tracker for CTRL-OS. It allows monitoring the status of vulnerabilities that affect CTRL-OS releases. Vulnerabilities are ingested from official sources, such as NVD and others.
For general information about installing or upgrading CTRL-OS, refer to the documentation. We are eager to hear your feedback and suggestions for this security tracker. Channels to reach us are documented here.
Releases
These are the currently supported releases.
Note
Vulnerability analyses for CTRL-OS 24.05 are not complete and are intended as a feature preview.
Latest Events
CVE-2026-40962
CTRL-OS 24.05
ffmpeg
FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.
2026-04-23 02:10 CEST
New
CVE-2026-4519
CTRL-OS 24.05
python3
webbrowser.open() allows leading dashes in URLs
2026-04-23 02:10 CEST
New
CVE-2025-70873
CTRL-OS 24.05
sqlite
An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.
2026-04-23 02:10 CEST
New
CVE-2026-29111
CTRL-OS 24.05
systemd
systemd: Local unprivileged user can trigger an assert
2026-04-23 02:10 CEST
New
CVE-2026-40226
CTRL-OS 24.05
systemd
In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.
2026-04-23 02:10 CEST
New
CVE-2026-33899
CTRL-OS 24.05
imagemagick
ImageMagick: Heap BufferOverflow write of single zero byte when parsing XML
2026-04-23 02:09 CEST
New
CVE-2026-33900
CTRL-OS 24.05
imagemagick
ImageMagick has a Heap overflow caused by integer overflow/wraparound in viff encoder on 32-bit builds
2026-04-23 02:09 CEST
New
CVE-2026-33901
CTRL-OS 24.05
imagemagick
ImageMagick has a Heap Buffer Overflow via MVG decoder
2026-04-23 02:09 CEST
New
CVE-2026-33902
CTRL-OS 24.05
imagemagick
ImageMagick: Stack Overflow via Recursive FX Expression Parsing
2026-04-23 02:09 CEST
New
CVE-2026-33905
CTRL-OS 24.05
imagemagick
ImageMagick has an Out-of-Bounds read via -sample operation
2026-04-23 02:09 CEST
New
CVE-2026-33908
CTRL-OS 24.05
imagemagick
ImageMagick is vulnerable to Stack Overflow in DestroyXMLTree()
2026-04-23 02:09 CEST
New
CVE-2026-34238
CTRL-OS 24.05
imagemagick
ImageMagick: Integer overflow in despeckle operation causes heap buffer overflow on 32-bit builds
2026-04-23 02:09 CEST
New
CVE-2026-40169
CTRL-OS 24.05
imagemagick
ImageMagick: Heap buffer overflow (WRITE) in the YAML and JSON encoders
2026-04-23 02:09 CEST
New
CVE-2026-40183
CTRL-OS 24.05
imagemagick
ImageMagick: Heap buffer overflow when encoding JXL image with a 16-bit float
2026-04-23 02:09 CEST
New
CVE-2026-40310
CTRL-OS 24.05
imagemagick
ImageMagick: Heap out-of-bounds write in JP2 encoder
2026-04-23 02:09 CEST
New
CVE-2026-40311
CTRL-OS 24.05
imagemagick
ImageMagick: Heap-use-after-free via XMP profile could result in a crash when printing values
2026-04-23 02:09 CEST
New
CVE-2026-40312
CTRL-OS 24.05
imagemagick
ImageMagick: Off-by-One in MSL decoder could result in crash
2026-04-23 02:09 CEST
New
CVE-2026-1837
CTRL-OS 24.05
libjxl
libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2
2026-04-22 16:55 CEST
In Progress → Resolved
Updated to 0.10.5, which contains a fix.
CVE-2026-1837
CTRL-OS 24.05
libjxl
libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2
2026-04-15 14:49 CEST
Plausible → In Progress
CVE-2026-1837
CTRL-OS 24.05
libjxl
libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2
2026-04-15 14:48 CEST
Acknowledged → Plausible
CVE-2026-1837
CTRL-OS 24.05
libjxl
libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2
2026-04-15 14:13 CEST
Acknowledged
CVE-2026-35094
CTRL-OS 24.05
Libinput: libinput: information disclosure via dangling pointer in lua plugin handling
2026-04-09 19:52 CEST
New
CVE-2026-35093
CTRL-OS 24.05
libinput
Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins
2026-04-09 19:42 CEST
New → Invalid
False positive due to bad CVE “configuration” data.
Code added in:
- https://gitlab.freedesktop.org/libinput/libinput/-/commit/9e37bc0cfa4d975291e5a2899e148fb83526d4a2
The commit was added during the 1.30 development phase, and the file and feature does not exist for 1.29 or prior versions.
CVE-2026-35093
CTRL-OS 24.05
libinput
Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins
2026-04-09 19:28 CEST
New
CVE-2026-34543
CTRL-OS 24.05
openexr
OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
2026-04-09 18:42 CEST
Acknowledged → Plausible
CVE-2026-34380
CTRL-OS 24.05
openexr
OpenEXR has a signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
2026-04-09 18:42 CEST
Acknowledged → Plausible
CVE-2026-34379
CTRL-OS 24.05
openexr
OpenEXR has a misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)
2026-04-09 18:42 CEST
Acknowledged → Plausible
CVE-2026-34544
CTRL-OS 24.05
openexr
OpenEXR: integer overflow to OOB write in uncompress_b44_impl()
2026-04-09 18:42 CEST
Acknowledged → Plausible
CVE-2026-34588
CTRL-OS 24.05
openexr
OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
2026-04-09 18:42 CEST
Acknowledged → Plausible
CVE-2026-34589
CTRL-OS 24.05
openexr
OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write
2026-04-09 18:42 CEST
Acknowledged → Plausible