Merge pull request #50 from MeghaMoncy/master

MeghaMoncy · web-flow · commit a985acbe1612 · 2026-02-13T14:24:17.000-05:00
Updating to add OSG-SEC-2026-02-10 CRITICAL risk MUNGE buffer overflow vulnerability (CVE-2026-25506)
diff --git a/docs/OSGSecurityAnnouncements.md b/docs/OSGSecurityAnnouncements.md
@@ -1,5 +1,6 @@
 | Date        | Title                                                 | Contents/Link       |   Risk        |
 |-------------|-------------------------------------------------------|---------------------|---------------|
+| 2026-02-10  | CRITICAL risk MUNGE buffer overflow vulnerability (CVE-2026-25506) | [OSG-SEC-2026-02-10](./vulns/OSG-SEC-2026-02-10.md) |     |
 | 2026-01-27  | CRITICAL ROOT Framework Remote Code Execution Vulnerability (CVE-2026-24811, CVE-2026-24812) | [OSG-SEC-2026-01-27](./vulns/OSG-SEC-2026-01-27.md) |     |
 | 2025-12-04  | CRITICAL React Server Components Vulnerability (CVE-2025-55182) | [OSG-SEC-2025-12-04](./vulns/OSG-SEC-2025-12-04.md) |     |
 | 2025-09-11  | linux-kernel: CRITICAL risk vulnerability allowing local privilege escalation,CVE-2025-38352 | [OSG-SEC-2025-09-11](./vulns/OSG-SEC-2025-09-11.md) |     |
diff --git a/docs/vulns/OSG-SEC-2026-02-10.md b/docs/vulns/OSG-SEC-2026-02-10.md
@@ -0,0 +1,25 @@
+# OSG-SEC-2026-02-10 CRITICAL risk MUNGE buffer overflow vulnerability (CVE-2026-25506)
+
+Dear OSG Security Contacts,
+
+MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, a local attacker cou>
+
+## IMPACTED VERSIONS:
+>= 0.5,  <= 0.5.17
+
+## WHAT ARE THE VULNERABILITIES:
+An attacker who obtains this leaked key material could forge arbitrary MUNGE credentials to impersonate any user (includi>
+
+## MITIGATION
+As a precautionary measure, regenerate MUNGE keys on all systems after patching. Note that key regeneration requires stop>
+
+## WHAT YOU SHOULD DO:
+Site admins should upgrade to 0.5.18 or apply vendor-supported updates that include fixes for CVE-2026-25506.
+
+## REFERENCES 
+[1] https://nvd.nist.gov/vuln/detail/CVE-2026-25506  
+[2] https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh  
+
+Please contact the OSG security team at security@osg-htc.org if you have any questions or concerns.
+
+OSG Security Team
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -12,6 +12,7 @@ nav:
   - Overview: 'OSGSecurityAnnouncements.md'
   - Overview x86 vulnerabilities: 'OSGSecurityAnnouncements-x86.md'
 - Announcement Details:
+    - OSG-SEC-2026-02-10 CRITICAL risk MUNGE buffer overflow vulnerability (CVE-2026-25506): './vulns/OSG-SEC-2026-02-10.md'
     - OSG-SEC-2026-01-27 CRITICAL ROOT Framework Remote Code Execution Vulnerability (CVE-2026-24811, CVE-2026-24812): './vulns/OSG-SEC-2026-01-27.md'
     - OSG-SEC-2025-12-04 CRITICAL React Server Components Vulnerability (CVE-2025-55182): './vulns/OSG-SEC-2025-12-04.md'
     - OSG-SEC-2025-09-11 linux-kernel- CRITICAL risk vulnerability allowing local privilege escalation,CVE-2025-38352: './vulns/OSG-SEC-2025-09-11.md'
