Main Vulnerability Database SB2026021367

SB2026021367 - Fedora 44 update for asciinema, atuin, bustle, envision, glycin, greetd, helix, keylime-agent-rust, maturin, mirrorlist-server, ntpd-rs, rust-add-determinism, rust-afterburn, rust-app-store-connect, rust-bat, rust-below, rust-btrd, rust-busd, rust-bytes,

Published: February 13, 2026

Security Bulletin ID SB2026021367

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Type confusion (CVE-ID: CVE-2026-25537)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to a type confusion error when parsing standard claims in an incorrect format. If a claim is provided with an incorrect JSON type, the application's internal parsing mechanism marks the claim as "FailedToParse" and the validation logic treats this state identically to "NotPresent". If this check is enabled, e.g. "validate_nbf = true" but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim. A remote attacker can bypass authorization checks and gain unauthorized access to the application.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2026-1b11ddff94

Vulnerable Software

Fedora: 44
uv: before 0.9.30-2.fc44
tuigreet: before 0.9.1-7.fc44
tbtools: before 0.7.0-3.fc44
sad: before 0.4.32-4.fc44
rustup: before 1.28.2-8.fc44
rust-ybaas: before 0.0.19-6.fc44
rust-wiremix: before 0.7.0-3.fc44
rust-weezl: before 0.1.12-3.fc44
rust-tokei: before 14.0.0-4.fc44
rust-time-macros: before 0.2.27-1.fc44
rust-time-core: before 0.1.8-1.fc44
rust-time: before 0.3.47-2.fc44
rust-tealdeer: before 1.7.2-4.fc44
rust-speakersafetyd: before 1.0.2-6.fc44
rust-snpguest: before 0.9.2-4.fc44
rust-sigul-pesign-bridge: before 0.6.0-3.fc44
rust-shadow-rs: before 0.8.1-14.fc44
rust-sevctl: before 0.6.2-6.fc44
rust-sequoia-sq: before 1.3.1-10.fc44
rust-sequoia-octopus-librnp: before 1.11.1-5.fc44
rust-sequoia-keystore-server: before 0.2.0-6.fc44
rust-sequoia-chameleon-gnupg: before 0.13.1-9.fc44
rust-scx_rusty: before 0.5.4-7.fc44
rust-scx_rustland: before 0.0.3-7.fc44
rust-scx_layered: before 0.0.6-7.fc44
rust-sccache: before 0.13.0-3.fc44
rust-routinator: before 0.14.2-4.fc44
rust-resctl-demo: before 2.2.5-9.fc44
rust-resctl-bench: before 2.2.5-10.fc44
rust-redlib: before 0.35.1-10.fc44
rust-rd-hashd: before 2.2.5-10.fc44
rust-rd-agent: before 2.2.5-14.fc44
rust-rbw: before 1.13.2-5.fc44
rust-rbspy: before 0.34.1-4.fc44
rust-procs: before 0.14.10-7.fc44
rust-pretty-git-prompt: before 0.2.2-9.fc44
rust-pore: before 0.1.17-11.fc44
rust-pleaser: before 0.5.6-6.fc44
rust-oo7-cli: before 0.4.3-4.fc44
rust-onefetch: before 2.26.1-7.fc44
rust-num-conv: before 0.2.0-1.fc44
rust-nu: before 0.99.1-16.fc44
rust-muvm: before 0.4.1-5.fc44
rust-monitord-exporter: before 0.4.1-8.fc44
rust-monitord: before 0.12.1-6.fc44
rust-lsd: before 1.2.0-3.fc44
rust-jsonwebtoken: before 9.3.1-4.fc44
rust-ingredients: before 0.2.2-2.fc44
rust-heatseeker: before 1.7.3-4.fc44
rust-gst-plugin-reqwest: before 0.14.3-3.fc44
rust-gst-plugin-dav1d: before 0.14.0-3.fc44
rust-gitui: before 0.28.0-3.fc44
rust-git2: before 0.20.4-1.fc44
rust-git-interactive-rebase-tool: before 2.4.1-15.fc44
rust-git-delta: before 0.18.2-13.fc44
rust-eif_build: before 0.2.1-6.fc44
rust-dua-cli: before 2.32.2-3.fc44
rust-crypto-auditing-log-parser: before 0.2.4-3.fc44
rust-crypto-auditing-event-broker: before 0.2.4-3.fc44
rust-crypto-auditing-client: before 0.2.4-3.fc44
rust-crypto-auditing-agent: before 0.2.4-4.fc44
rust-coreos-installer: before 0.25.0-4.fc44
rust-cargo-deny: before 0.18.9-4.fc44
rust-cargo-c: before 0.10.18-3.fc44
rust-bytes: before 1.11.1-1.fc44
rust-busd: before 0.3.1-6.fc44
rust-btrd: before 0.5.3-12.fc44
rust-below: before 0.9.0-6.fc44
rust-bat: before 0.25.0-9.fc44
rust-app-store-connect: before 0.5.0-6.fc44
rust-afterburn: before 5.10.0-3.fc44
rust-add-determinism: before 0.7.2-4.fc44
ntpd-rs: before 1.6.2-3.fc44
mirrorlist-server: before 3.0.8-3.fc44
maturin: before 1.9.6-4.fc44
keylime-agent-rust: before 0.2.8-11.fc44
helix: before 25.07.1-7.fc44
greetd: before 0.10.3-6.fc44
glycin: before 2.0.5-4.fc44
envision: before 3.2.0-7.fc44
bustle: before 0.13.0-4.fc44
atuin: before 18.6.1-10.fc44
asciinema: before 3.0.0-5.fc44