This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
Affected surfaces
ReleasePort's take
Moderate signalRelease v0.2.23 patches a critical Use‑After‑Free vulnerability in the av module when peers go offline.
Why it matters: The fix addresses CVE GHSA‑42vg‑9mg3‑399f (severity 90) affecting audio/video handling; all deployments should upgrade immediately to prevent memory corruption.
Summary
AI summaryFixes a critical GHSA‑42vg‑9mg3‑399f Use‑After‑Free vulnerability in audio/video peer handling.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Fixes Use-After-Free vulnerability in av module when peer goes offline. Fixes Use-After-Free vulnerability in av module when peer goes offline. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Feature | Low |
Adds `Tox_Iterate_Options` for granular control over `tox_iterate`. Adds `Tox_Iterate_Options` for granular control over `tox_iterate`. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Feature | Low |
Adds function to retrieve list of valid group chat numbers. Adds function to retrieve list of valid group chat numbers. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Bugfix | Medium |
Limits number of saved group peers when loading from disk and adds bounds test. Limits number of saved group peers when loading from disk and adds bounds test. Source: llm_adapter@2026-06-03 Confidence: low |
— |
| Bugfix | Low |
Suppresses IPv6 node warning when IPv6 is disabled. Suppresses IPv6 node warning when IPv6 is disabled. Source: granite4.1:30b@2026-06-03-audit Confidence: low |
— |
| Bugfix | Low |
Corrects max size announcements in GCA by 32 bytes. Corrects max size announcements in GCA by 32 bytes. Source: granite4.1:30b@2026-06-03-audit Confidence: low |
— |
| Bugfix | Low |
Sizes GCA onion announce response buffer to actual content length. Sizes GCA onion announce response buffer to actual content length. Source: granite4.1:30b@2026-06-03-audit Confidence: low |
— |
| Bugfix | Low |
Fixes mypy failure in tests. Fixes mypy failure in tests. Source: granite4.1:30b@2026-06-03-audit Confidence: low |
— |
| Refactor | Low |
Refactors DHT memory handling to prevent double‑free when loading multiple states. Refactors DHT memory handling to prevent double‑free when loading multiple states. Source: granite4.1:30b@2026-06-03-audit Confidence: low |
— |
Full changelog
Release notes
This release fixes a critical bug, other bug fixes and some small features and test improvements.
The critical bug was discovered during a manual audit performed by iphy. You can find more on the issue at https://github.com/TokTok/c-toxcore/security/advisories/GHSA-42vg-9mg3-399f .
Other bug fixes where applied all over the codebase and should result in an even more stable core experience.
A minor noteworthy feature that was added is a function to get a list of group chats, further improving ngc quality of life.
As always, none of the public facing apis (tox.h/toxav.h/toxencryptsave.h/etc) where modified or removed, which should make this update seamless.
Bug Fixes
- limit number of saved group peers when loading from disk And add
unpack_gc_saved_peersbounds test. (de31d805) - wrong comment in group code (147dbe11)
- DHT:
- av: Fix Use-After-Free when peer goes offline. (dbb65223)
- gca: announce max sizes where 32bytes too large (5080b21c)
- onion: Size GCA announce response buffer to actual content length. (23853004)
- test: fix mypy failure (8016a502)
Features
Security Fixes
- GHSA-42vg-9mg3-399f — Fix Use‑After‑Free when peer goes offline in av module
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Beta — feedback welcome: [email protected]